Cyber Insurance for SMBs

According to Jenny Jooste, Client Manager for Cyber and Professional Indemnity Technology at Aon South Africa, cyber threat activators specifically target SMBs because their Information Technology (IT) controls are typically weaker than what they are likely to encounter at a large corporate organisation.

“SMB’s have become an easy target because the majority believe that the information the company holds is not important. Furthermore, many SMBs simply do not have the workforce capability or budget to spend a huge amount of time and effort on a task that does not form part of its core capabilities – IT security,” Jenny explains.

The following is often the scenario with SMBs:

The IT team is less likely to be provided adequate funding to implement monitoring tools such as Privileged Access Management (PAM) or Security Information and Event Management (SIEM) and firewalls.
Systems can easily be accessed without a Virtual Private Network (VPN) or Multi-Factor Authentication (MFA).
SMBs may not necessarily have data back-ups that are offline and/or off site.
There may also be no measures in place that would prevent lateral movement and access to multiple systems in the group.
IT functions are often outsourced to a third-party vendor, often with no contracts or audits in place to ensure that correct security measures are in place.
Most SMBs allow employees access to USBs and their personal Gmail accounts on company laptops, furthermore allowing devices such as smart phones to link to company systems.

“All of these scenarios add a higher threat level to an organisation’s cyber risk profile and the data held by a small to medium-sized organisation. And although many SMBs believe that they are unlikely to fall victim to a cyber breach or suffer losses due to human error, the consequences can be dire from a business interruption perspective, not to mention the possible reputational damage caused or legislative risks involved such as the Protection of Personal Information Act (POPIA),” explains Jenny.

“The first step in safeguarding your SMB is to get a professional cyber risk expert in to do a thorough assessment by means of vulnerability and penetrating testing to identify any gaps that may exist from an internal and external cyber security perspective. It is the first step in putting a cyber risk management program in place that will detail a road map to get controls where they should be,” says Jenny.

Once an SMBs data and systems are protected, the next step would be to put cyber insurance in place to protect the company’s bottom line in the event of a cyber breach.

“SMBs are generally under the false impression that these types of incidents would be covered under their general business insurance. The reality is that all cyber-related covers are excluded from traditional short-term insurance policies. That is why it is critical for SMBs to address the risk that a cyber breach holds with specific and specialised insurance provided under a cyber policy,” says Jenny.

“Cyber risk insurance is affordable for small businesses, and especially so when you weigh up the potential risk and costs that the business could be faced with in its absence. IT departments defend systems from potential hackers on a daily basis and in most instances, small cyber incidents can be handled internally. However, cyber cover has become a catastrophe type cover for bigger losses and includes the added benefit of an Incident Response (IR) team to assist during the claim: Negotiating with hackers, handling communications to staff, media and clients, legal advice related to contracts in addition to IT forensics to help contain the breach,” says Jenny.

What does cyber risk insurance cover?

“A typical cyber risk insurance policy will cover your organisation’s data, your business connectivity, any Business Interruption (BI) losses as a result of a breach, third-party liability claims as a result of a breach and any Incident IR costs incurred. Cyber insurance also provides cover for human error, such as an incident where information is sent out erroneously, or a software upgrade that goes wrong,” Jenny explains.

Most cyber risk insurance policies offer the following sections:

– Privacy liability – In the event that you are unable to protect third-party data, your own data, corporate information, vendors, staff, clients and the like.
– Network liability – if your network is comprised and the business is unable to trade.
– Cyber extortion – The cost involved in getting the one-time pin to access your data following a Distributed Denial of Service (DDoS) breach.
– Data and system recovery costs – The cost of restoring your business data if it has been altered, changed or destroyed.
– Ransomware – this malicious software prevents access to your computer system and or data, holding it ‘ransom’ at a price that the business needs to pay to release the data.
– Business interruption – Cyber risk insurance covers losses sustained during the period of time that lapses between the occurrence of the cyber breach and the point where your business data and connectivity is restored.
– Incident response team – The costs involved in appointing attorneys to assist with any contract liability, public relations professionals, an IT forensics team and incident response management.
– Media liability – Pertaining to defamation lawsuits or copyright infringements.
– PCI – Cover for any Payment Card Industry (PCI) fines.
– Regulatory fines – Any regulatory fines that could be levied against the company in light of legislative liability pertaining to POPIA, General Data Protection Regulation (GDPR) or any other relevant legislation, in so far as is allowed by public policy in the respective country.

“It is crucial for SMBs to understand the value of their data and connectivity. In an increasingly digital world, our day-to-day business activities rely heavily on digital solutions, which presents an evolving cyber risk landscape that could severely affect your business should something go wrong. Engage with a broker who specialises in cyber risk insurance who can provide the data and insights you need to make better decisions when it comes to protecting your SMB from cyber risk,” Jenny concludes.