Before talking about cyber insurance premiums and the coverage available, it’s important that clients first recognize some of the basic cyber risks faced by their business as many may not know where their major exposures lie or that insurance exists to cover them.
To help you get the conversation started, we’ve put together a handful of questions you can ask along with key talking points for each.
-
Do you send or receive payments electronically?
Cybercriminals are increasingly intercepting electronic fund transfers, often by hacking into email accounts, pretending to be someone else and sending fraudulent instructions.
These scams are hard to spot because cybercriminals are taking the time to study how their victims send and receive payment requests, and they often come from legitimate email accounts that have been compromised.
Payments are often unrecoverable as they are siphoned off into other accounts quickly. Banks are rarely able to recall the funds and refund the losses.
Cyber insurance can reimburse significant financial losses that come from scams like these. In fact, funds transfer fraud makes up about a quarter of CFC’s cyber claims globally. -
Do you collect or store personally identifiable information (PII) or business-critical information like client contracts, plans or other corporate information?
If sensitive information that you are responsible for is subject to unauthorized access or disclosure, you will most likely have to notify affected individuals of the breach.
You may be required to provide other services to these individuals, such as credit monitoring or identity theft insurance.
When it comes to PII, there are usually rules and regulations about how to secure this data. If you do not adhere to them and subsequently suffer a cyber event, you could face regulatory fines and penalties.
Cyber insurance covers a range of costs associated with responding to data breaches, including legal advice, notifying affected individuals and any regulatory fines and penalties that may be incurred. -
Do you have access to a cyber security or incident response team to deal with a cyber event?
Most SMEs lack the resources to have their own in-house cyber security or incident response team to prevent or respond to cyber attacks.
A good cyber policy will give you access to proactive cyber attack prevention services. Utilizing a range of techniques unavailable to everyday businesses like vulnerability scanning, threat monitoring and intelligence feeds, all at no extra cost.
Who would you call if you came into work one day to find all your computers inaccessible and encrypted by malware? Access to a technically-led incident response team can be the difference between a catastrophic loss and getting back online quickly.
Cyber insurance will cover the costs of the incident responders triaging, containing and repairing your network back to an even more secure state than it was before the attack.
Hackers target businesses that are vulnerable, not just valuable.
-
How long can your business operate without access to computer systems and the data they hold?
You are probably more dependent on computer systems than you realize.
Understanding that modern businesses are partly or entirely reliant on technology in order to operate, cybercriminals increasingly see ransomware attacks and targeted extortion attacks as an easy way to make money. They do this by encrypting key data and demanding large sums of money in exchange for the decryption key.
Most small businesses lack the technical resources to deal with attacks like these in-house and may not have anyone experienced enough to turn to in the event that their systems are brought down.
The length of system downtime can vary from business to business, but in some cases business operations can be severely impacted for weeks or even months after a cyber event.
Back-ups are frequently targeted and either deleted or encrypted during the course of these attacks, leaving businesses with little recourse when it comes to reinstating their data.
Cyber insurance not only gives you access to a range of technical experts to help get you back online fast, but it covers the financial losses incurred as a result of your business operations being interrupted and the costs of re-creating any lost or corrupted data. It can even cover the reputational impact of canceled contracts and customers choosing to go elsewhere. -
Do any of your employees work remotely?
Many ransomware attacks stem from cybercriminals exploiting remote access solutions, whether by conducting brute force attacks which crack simple passwords or by using stolen login credentials.
Similarly, funds transfer fraud scams often rely on cybercriminals gaining remote access to employee email accounts to perpetrate their scams.
Employees may also be more susceptible to phishing scams whilst working from home, especially when they have no one in the immediate vicinity to sense check suspicious emails.
In addition, there’s always the risk that work devices taken outside of the office can be lost or stolen, which may result in a data breach.
Cyber insurance can protect against the financial losses that result from the unintended consequence of remote working, whether that be in the form of ransomware, funds transfer fraud or a data breach. -
Are you confident that you or your employees will never make a mistake?
Having good cyber security controls in place can make an organization less vulnerable to attack, but it can never make them 100% secure. Indeed, humans are often the weakest link in the cyber security chain.
This includes everything from employees clicking on a malicious link or attachment in a phishing email, handing over their username and passwords to fraudsters, using weak passwords, not following up new funds transfer requests with a phone call, or losing devices containing sensitive information.
Cyber insurance covers the financial losses that can result from these common errors, as well as giving you access to technical experts if someone makes a mistake. It also usually comes with a range of free cyber security tools, including phishing tools to help employees better spot suspicious emails.
