Please note, the information and advice contained in this article is general in nature. For professional advice specific to your needs, please consult your broker.
As a business owner, it goes without saying that you have public liability, professional indemnity, and fire and theft insurance policies in place. But what about cybersecurity? What measures are you taking to reduce the impact of a cyberattack? If the answer is ‘not a lot’, then it’s time we had a talk.
Last year, 62% of Australian small to medium businesses reported experiencing a cyber security incident of some kind. According to Travis Carter, Director, Retrac Solutions, this is not surprising as small to medium businesses are often seen as easy targets.
“Whilst we are definitely seeing more and more businesses focus on cybersecurity, small businesses and start-ups are often still of the opinion that ‘it won’t happen to me’. It may seem like hackers attack bigger businesses more as we hear about it in the press, but the truth is that the smaller the business, the easier the target,” Travis explains.
This is a thought echoed by Tim Allan, Partner at Insurance Advisernet SouthEast.
“There is definitely an increased awareness around cybersecurity at the top level, but I believe the SME businesses are struggling with the concept of Cyber Insurance.
When renewing or implementing a policy, clients are often shocked at the level of detail they need to provide.
They also need guidance on how to mitigate or reduce the risk of a cyberattack,” notes Tim.
What does a cybersecurity policy cover?
As with any insurance policies, cybersecurity policies have inclusions and exclusions to be aware of.
“If your policy covers you for first-party costs then you should be covered for initial incident response costs once a breach is identified as well as data restoration, legal defence, notification costs (under the NDB scheme) and extortion resulting from ransomware incidents,” explains Tim.
However, as with any other insurance policy, whilst you may be covered, you also need to look into limitations per item covered.
“Cybersecurity policies are available for as little as $500 per year. This can look tempting to a small business, but the fact is that this kind of policy will generally come with lower cover limits. In reality, if you suffer a major breach or attack, $100,000 is quite unlikely to cover the cost of the damage caused,” adds Travis.
Policy around ransomware attacks is also currently under scrutiny. Recent legislation considerations in several states will prohibit the payment of ransomware demands.
Policies can advertise and provide cover for costs incurred as a result of ransomware but will no longer be allowed to compensate simply against a ransomware demand.
In addition to first-party coverage, policies will include third party cover. This protects businesses against any losses or damages for failing to protect client records.
“It’s really important to explain that with these policies, there is a process to go through to secure one. You can’t just pay a premium and expect to be compensated in the event of a data breach. To be eligible for a policy, you have to prove that you are taking proactive measures to reduce the risk of cyberattacks on your business,” stresses Tim.
Business interruption as a result of an attack is also not covered by first- and third-party policies. The focus of the insurance is to help restore your business to its pre-attack position.
“Basically, you need to do your due diligence. You need to be confident you are taking the necessary security precautions and you need to be sure that the policy you choose will adequately support your business in the event you need to make a claim,” says Travis.
Be prepared. Complacency can kill your business
According to Tim and Travis, if you don’t know what measures you are taking to protect against cybersecurity threats, then it probably isn’t enough.
“Overall, I think business leaders have become savvier in terms of awareness. Equally products like Microsoft 365 offer functionality that can do a lot of the security leg work for you. But there is still a need to deep dive into your systems and establish gaps that need addressing,” says Travis.
Retrac offers all customers a security bundle to increase their proactive measures against cyber criminals.
“The forms that Tim and his peers send, really push businesses to explore their systems at a granular level. We often use them to crosscheck our offering and make sure our security bundle is providing a best-practice approach,” adds Travis.
“Having an IT partner like Retrac is definitely a step in the right direction. But ultimately, the protection and sustainability of a business sits with the leader. If you don’t want your details on the dark web and if you are serious about protecting your organisation, you need to investigate a cybersecurity policy,”