After years of warnings and breaches, the business world has accepted that when it comes to cyber-attacks, it’s a matter of ‘when’, not ‘if’. Not a single organisation is immune to a breach – not even the most secretive and cautious.
Down under, a KPMG report in 2023 found a third of Australian businesses – that’s 693,053 organisations – have experienced cybercrime, costing the economy AU$29 billion per year. Meanwhile, the average cost of each data breach climbed 32 per cent in the last five years, hitting AU$4.03 million, and it’s the financial services, technology and education industries paying the highest price.
It’s a scenario which has seen companies funnel budgets towards strengthening their cyber security strategies. Gartner analysts forecast Australian companies will spend $7.4bn on information security and risk management this year, marking an 11.5 per cent jump.
Cyber Insurance Growing
Not all that money is going towards bringing in the latest cyber tech and expertise. Significant investment is directed at cyber insurance, which has become critical in the last five years as business and the economy grows evermore digital – operating without it is an untenable risk, and companies are desperate to offset the impact of an incident.
But cyber insurance isn’t a free pass. Just having a cyber insurance policy doesn’t transfer all of the risk.
That’s because cyber insurance is only a safety net, just like the car insurance we all lean on. We don’t want to use it, but it’s important to have in case we’re swiped by a negligent driver. But we have responsibilities to keep our insurers happy if we want it to actually pay out. Being found speeding, drink driving, or using a phone at the wheel are all going to lead to claims rejections. And being a ‘high risk’ driver is going to make it hard to get a policy, or get one at a reasonable cost.
In the cyber insurance world, many policies exclude any coverage at all in the case of criminal or fraudulent acts, or negligent disregard for security. So, it’s essential to make sure that your organisation, and your staff, have taken all reasonable steps to protect sensitive data, or your claims may be void. Sensitive data, including personally identifiable information (PII), is the primary target in most cyber-attacks, and businesses must demonstrate they are accountable in the measures they’ve taken to protect stakeholder privacy to make any insurance claims viable.
Setting Expectations for Cyber Insurance
Accountability for businesses means targeting data governance controls to meet the expectations of cyber insurers. A robust cyber security strategy needs to focus on the impact of a breach, not just trying to avoid being breached; specifically, that means reducing what and how much information is exposed when the bad guys inevitably get in.
This is not an easy feat given the sheer volume of data businesses are handling, and its variety and velocity. And despite increased awareness of cyber-attacks and the increasingly regulated requirements for privacy, storing and using information responsibly is only becoming more challenging. The complexity is amplified by increasingly distributed workforces, and the number of systems and channels they use to collaborate – there is more data being used by more people, at faster rates of capture, and across more platforms, creating greater risk for exposure.
Cyber Insurance Calculations
The other problem is insurers don’t make it easy – and some are outright unwilling to take the risk on cyber. Many specialist cyber insurers will decline to give coverage, or will add significant premiums to their coverage, to companies considered ‘high hazard’ – those holding large amounts of PII, PCI (financial information), or PHI (health information).
For businesses, the starting point to securing a competitive cyber insurance policy, and ensuring it will actually pay out, is knowing what personal and other sensitive data the company holds, where it is being stored across the whole enterprise, how it is being used, who has access to it, and how long it must be kept under law.
Once this level of granular visibility is established, organisations need to introduce effective and comprehensive information governance frameworks – typically managed automatically by digital systems – that address data classification, retention, access controls, and compliant disposal. Disposal is particularly important, as one study found that, when insurers come to assessing your information and data management controls to price and issue your policy, “the most common question in this category was whether a data retention and destruction policy existed”.
Without automated information governance at scale, it’s impossible to be confident that high-risk data isn’t being overlooked; not just the credit card and health details which are relatively easy to pin down, but also the likes of legal clauses, contract terms and values, IP and trade secrets, controversial topics, and financial plans, for example, all of which sit across multitudes of documents and systems. It’s important to note as well that cyber insurance typically will not cover loss of your trade secrets or IP, so having this type of sensitive information properly controlled matters in more ways than one.
Reducing Risk
Information governance mechanisms reduce risk, by minimising the volume of private and sensitive information that may end up in the hands of cyber criminals. Reducing the likelihood of a breach is still important to invest in, but reducing the impact of a breach, by hardening and minimising your high-risk data, matters more to cyber insurers than any other factor.
Having a complete view of data is also integral to the ability to comply with data protection laws and regulations – whether it’s the Notifiable Data Breach scheme down under, or regional frameworks in regions where a company operates, such as the European Union’s General Data Protection Regulation (GDPR) – and subsequently qualify for an insurance policy’s coverage for regulatory fines and penalties.
Conclusion
As organisations increasingly look towards cyber insurance to strengthen their cyber security strategies, it’s imperative their houses are in order. The first line of defence is having a clear picture of all the data you hold and how you are handling and retaining it, to ensure you can get insurance, at the best price, and can get it actually paid out in the event of a breach.