Latest News

Cost inflation is real, and painful to the bottom line of businesses everywhere. Businesses get caught between their own rising costs on one side, and the risk of unhappy customers on the receiving end of price increases to cover those costs on the other side. It’s a frustrating situation. 

And insurance is one of those costs of doing business. Building, contents, liability, directors’ and indemnity insurance have all recorded price rises in recent times. Cyber liability insurance is not immune either. In fact, for many organisations the risk of Cyber Events and insurance costs now out-way the risk of terrorism.

Are there any actions I can take to lower the cost of those premium payments?

Yes, there are tangible, proactive ways to lower the cost of your cyber insurance premiums. It involves doing the digital security equivalent of putting locks on the doors and security screens on the windows of your home. These actions lower your exposure to risk and your insurers lower your assessed risk profile. And since insurance premiums are priced on risk that means that any action you take to lower your risk may lower your premium. 

If you don’t know your exposure to risk, then you are more than likely absorbing risk unwittingly. Something your insurer certainly won’t be doing. 

Some exposure examples might be;

• Do you comply with your relevant PCI DSS obligations? 
• Do you comply with The Privacy Act 1988 (Privacy Act)? 
• Do you have a Data Protection / Privacy policy? 
• Do you have firewalls protecting your own and customer/client data?
• Do you protect all Personally Identifiable Information (PII) and other sensitive data through encryption?
• Do you outsource the handling of any Personally Identifiable Information?
• Do you use up-to-date antivirus and malware protection software? Is this updated on a weekly or monthly basis?
• Are all business-critical systems and data information assets backed up and stored at another location?
• Has an independent party completed an audit of your systems and data security?
• If your IT network failed, how serious would this impact your business?
• Are your data security policies and procedures communicated to all employees, including annual security awareness training?

What can you do then?

1. Implement strong cyber security policies and procedures

An effective cyber security approach doesn’t rest on a single action or activity but on a strong framework. In practice, that means having policies and procedures that covers each relevant aspect of the digital security of your business. This is highly tailored to each business and industry. For example, a company that provides services to a defence contractor or a health organisation will have more complex requirements than a local volunteer organisation. Understanding what types of policies and procedures an organisation like yours should have is key, and something that an experienced consultant can assist with. Remember, your IT system are always at risk through multiple sources of access as well as personnel, both internally and externally.

2. Design an effective incident response plan

An incident response plan is the business version of a fire drill and evacuation. A hypothetical network failure or data breach is created and then you and your team can sit down to plan what your responses would be to loss of access to systems, a breach of customer data or a ransom request. Planning a response can also help to identify preventative and mitigating actions such as backing up business-critical data with a third-party provider. Unless you have Plan B in place, it is highly likely that any recovery post-event will cost you far more than prevention. Some businesses just do not survive. 

3.      Implement cyber security awareness training for staff

The data shows a very clear fact: most data breaches and network compromises happen as a result of staff accidentally clicking a link, downloading software or giving information that allows malicious actors access to a business system. But to flip that on its head, it also means that you and your staff can also be the strongest first line of defence. A way to demonstrate this for the purposes of lowering an insurance quote is to have a regular program of cyber security awareness training and testing for staff, with sign offs and updated modules as threats evolve. People risk is the common factor.

4.      Keep software and operating systems updated

You likely run your business on a number of different operating systems. Sales people and technicians working in the field might make use of the Apple family of products and have iPads and iPhones for tracking work orders and appointments. Your office might be more heavily reliant on Microsoft software products like Word, Excel and SharePoint. 

But no matter what choices you have made for your products, there is one constant: keeping software updated. Hackers are adept at finding weaknesses in operating systems and programs. Luckily, the companies that provide this critical business infrastructure are proactive and good at identifying these weaknesses and ‘patching’ them. But you need to have a regular program of updating your software and installing the updates that flow through. Some insurers are now denying claims for losses emanating through legacy or software which is not up to date or supported. 

5.      Follow a regular penetration testing schedule

Penetration testing lets businesses find weak points in their defences and address them with better controls. But a business and its systems aren’t ‘fixed’ – they evolve over time. That means that scheduled, regular testing is the best option if you are seeking to demonstrate a diligent approach to your cyber security to an insurance provider.

Not sure where to start?

If you’ve received your annual cyber insurance premium, or you’ve looked into the cost but are wondering whether it’s a fair quote, CyberUnlocked can help. 

We partner with insurance brokers and risk managers who and can help explain the landscape for cyber security insurance as it applies to your business and industry, and help you understand if there are things that you can do to lower the cost of insuring your business against potentially damaging cyber threats.

Unfortunately, cyber insurance is relatively new. Law both in Australia and overseas is constantly behind IT services and products being provided. With new insurers wanting to get a slice of the action, a risk environment where losses are growing exponentially and policy wordings that are almost impossible to compare, it is an area for expert advice.

Insurance does not change risk – it either pays or does not.

We can help you change your risk profile. Good security and risk mitigation must be a deliberate and considered exercise. The benefits are the reduced likelihood and seriousness of cybers events. The bonus is a reduced dependence on insurance and lower annual premiums cost.