Cyber Insurance - I Toll'd you so

Anyone following me on LinkedIn, any of my clients, and friends for that matter will all attest to my awareness and advice on the need for every business to be considering cyber insurance. Sometimes I feel like I talk about it till I'm blue in the face and still it's taken up so rarely by the business community relative to the extreme risk it poses. Yes, I agree prevention is better than the cure. But there is no 100% guaranteed prevention anymore and potentially you could argue there never was one. It was well documented last week the cyber impact on Toll. 

A transportation company unlikely apart from the size of the company to consider themselves a cyber target facing a relatively new variant of the 'Mailto' or 'Kazakavkovkiz' ransomware. Toll isn't a bank or financial institution with juicy account details ripe for the picking. At best they hold details of a customers parcel and where it's going. Realistically they mightn't even record or have the information of what the parcel even contains. Yet, have found themselves entangled in a cyber event leading to an enormous stress to their business. 

It still amazes me when my clients who are predominately SME in nature question the need for such insurance cover. Depending on the industry / IT environment / turnover / and claims history a $1 mil limit covering costs for detection, rectification, PR, notification as well as business interruption loss might set you back anywhere between $2,000 - $4,000. A relatively small drop in the ocean compared to the potential of not having any system for weeks followed by an IT environment that mightn't be back to full operation for months. Imagine the impact that would have on your business? 

I always find myself highlighting to my clients that if big business with equally large IT budgets are getting tripped up by cyber events it would appear a miracle that a small business with relatively no IT spend hasn't been hit yet. In the Toll example they decided against paying any ransom demand by the hackers. This is curious because the statistics I hear all point towards an honour amongst thieves mentality when it comes to hackers. They're smart enough to know that if paid ransoms aren't met with a return of data then future ransom demands are seldom likely to be paid. So, to see a large organisation with what can only be presumed means of paying any ransom refuse to do so and risk potential lengthening of a downed IT system on the surface doesn't make a whole lot of sense. 

However I'm sure they had their reasons and only time will tell if this tactic was the correct course of action or not. Back to the issue at hand. That is the still lacklustre take up of cyber insurance amongst business owners despite plentiful access to over 25 Australian Insurers offering cover at very affordable prices. The 'won't happen to me' attitude is still alive and well in my opinion and is a very dangerous one for the business community to have. 

Perhaps the narrative needs to change from just adding to your insurance spend to realising that many insurers now have integrated very competent hour 0 break glass procedures into their policies. Meaning you're not just buying another insurance policy anymore; you're buying in most cases a dedicated cyber procedure that can be adopted as your own. Proverbially think of it as a number to call asap once you've been hacked and a swat team of IT geeks parachuting in through the window yelling 'step away from the PC!'. Well maybe not that dramatic but something along those lines. 

In summary 2 large transport companies were scared enough this week to speak to me about revisiting my proposal of cyber insurance for their business. A small sample size I know but I just hope that it doesn't take major publicised incidents in each business type to realise the need for adoption of a cyber insurance policy.

Anyone following me on LinkedIn, any of my clients, and friends for that matter will all attest to my awareness and advice on the need for every business to be considering cyber insurance. Sometimes I feel like I talk about it till I'm blue in the face and still it's taken up so rarely by the business community relative to the extreme risk it poses. Yes, I agree prevention is better than the cure. But there is no 100% guaranteed prevention anymore and potentially you could argue there never was one. It was well documented last week the cyber impact on Toll. 

A transportation company unlikely apart from the size of the company to consider themselves a cyber target facing a relatively new variant of the 'Mailto' or 'Kazakavkovkiz' ransomware. Toll isn't a bank or financial institution with juicy account details ripe for the picking. At best they hold details of a customers parcel and where it's going. Realistically they mightn't even record or have the information of what the parcel even contains. Yet, have found themselves entangled in a cyber event leading to an enormous stress to their business. 

It still amazes me when my clients who are predominately SME in nature question the need for such insurance cover. Depending on the industry / IT environment / turnover / and claims history a $1 mil limit covering costs for detection, rectification, PR, notification as well as business interruption loss might set you back anywhere between $2,000 - $4,000. A relatively small drop in the ocean compared to the potential of not having any system for weeks followed by an IT environment that mightn't be back to full operation for months. Imagine the impact that would have on your business? 

I always find myself highlighting to my clients that if big business with equally large IT budgets are getting tripped up by cyber events it would appear a miracle that a small business with relatively no IT spend hasn't been hit yet. In the Toll example they decided against paying any ransom demand by the hackers. This is curious because the statistics I hear all point towards an honour amongst thieves mentality when it comes to hackers. They're smart enough to know that if paid ransoms aren't met with a return of data then future ransom demands are seldom likely to be paid. So, to see a large organisation with what can only be presumed means of paying any ransom refuse to do so and risk potential lengthening of a downed IT system on the surface doesn't make a whole lot of sense. 

However I'm sure they had their reasons and only time will tell if this tactic was the correct course of action or not. Back to the issue at hand. That is the still lacklustre take up of cyber insurance amongst business owners despite plentiful access to over 25 Australian Insurers offering cover at very affordable prices. The 'won't happen to me' attitude is still alive and well in my opinion and is a very dangerous one for the business community to have. 

Perhaps the narrative needs to change from just adding to your insurance spend to realising that many insurers now have integrated very competent hour 0 break glass procedures into their policies. Meaning you're not just buying another insurance policy anymore; you're buying in most cases a dedicated cyber procedure that can be adopted as your own. Proverbially think of it as a number to call asap once you've been hacked and a swat team of IT geeks parachuting in through the window yelling 'step away from the PC!'. Well maybe not that dramatic but something along those lines. 

In summary 2 large transport companies were scared enough this week to speak to me about revisiting my proposal of cyber insurance for their business. A small sample size I know but I just hope that it doesn't take major publicised incidents in each business type to realise the need for adoption of a cyber insurance policy.