It took over 5 years of research and due diligence to evaluate potential cybersecurity risks and build a cyberinsurance policy that underwriters would be willing to back, a Cyber Plus director has revealed as the company debuted its Small Business Bundle of insurance, services and security tools.
The long lead time stemmed from the need to carefully evaluate past breach experiences, tool effectiveness, and the real business risk around cybersecurity attacks, director Paul Waite told CSO Australia. Careful attention, he said, was paid to the problems small and medium businesses (SMBs) had when trying to claim damages under existing insurance policies.
“Most SMBs have [insurance] for fire and floods and so on, but they don’t have a business continuity plan in place for cybersecurity,” Waite explained. “But if you have a serious event, and need to report it, it can have an impact on cashflow and reputation.”
That impact is likely to become more pronounced under Australia’s National Data Breach scheme, which will become active next year and will almost certainly see a surge in public reports about breaches at SMBs and large enterprises.
SMBs, however, run the risk of their business being destroyed from the direct or indirect consequences of such a breach, particularly as new European Union privacy regulations threaten massive fines for non-compliant Australian companies from May 2018.
“Small businesses don’t have the internal IT capabilities to be able to keep on top of all of this,” Waite explained. “Cyber insurance has always proved tricky because there are so many moving parts, and a lot of people particularly haven’t got a full understanding of the impact to the supply chain if a third party has a data breach event. That’s why the risk assessment and incident response aspect of this is very important.”
The 2011 destruction of technology business Distribute.IT after a cyber attack has become stuff of legend in cybersecurity circles, and it was a key factor that motivated Waite to begin exploring the cybersecurity insurance package that was finally launched this week.
Participating companies first undergo a security vetting process that includes 10 questions eliciting details about existing security controls – including password change policies, the presence of an incident response plan, how firewalls are configured, and so on. Companies are also asked a series of industry-specific questions that address potential security vulnerabilities particular to their business.
Once the company’s existing security posture can be evaluated, companies can access the other elements of the bundle – which was launched this week by small business minister Michael McCormack and includes security tools from Australian security firms like multi-factor authentication vendor TokenOne, email security pioneer MailGuard, and Datasc’s encrypted file sharing tool Cryptix.
By having these tools in place – or demonstrating the existing use of similar tools – Cyber Plus can fill out its risk profile and ensure that SMBs have not only improved their overall security, but can demonstrate proactive measures to minimise their actuarial risk profile. This, in turn, makes them acceptable risks for insurance – allowing Cyber Plus to market the insurance policies to underwriters Lloyds of London with clear parameters around covered risks.
Due to the bundled processes, “we have internal statistical evidence that helps us assess the profile of the business,” Waite explains. “We know where the weaknesses lie – and that’s why we have engaged with some companies to fill the breach. By using a cyber-by-design approach, it allows us the flexibility to be able to negotiate better on the potential insured’s behalf.”
The Small Business Bundle also includes advisory services from BDO, Ernst & Young and Deloitte, legal support through Minter Ellison and Mallesons; and Equifax credit monitoring designed to rapidly inform small businesses if cybersecurity breaches lead to fraudulent activity related to their credit.
Each bundle of services and products will be slightly different depending on the particulars of each small business taking up the product. But with years of examination of potential permutations, Waite is confident that the firm has enough of a grasp on the nature of cybersecurity risk and breaches that the new policies will withstand the rigours of the coming explosion of NDB reports.
“You can’t have a one-size-fits-all category,” he said. “It just doesn’t work. That’s one of the things that has taken us so long: we’ve analysed every product in the marketplace, and built a database of information that pinpoints weaknesses based on what we know regarding the cyber threats that are out there.”
“It has taken us five years to get to this point, but I’m pleased that we have because we’ve got the bases covered.”