It seems like only yesterday that we were trying to persuade business leaders that it wasn’t a matter of ‘if’ they would be impacted by a cyberattack, but ‘when’. And in fact, in my most recent poll, many seem to think that mindset still persists. However, I was encouraged to read a recent article in the AFR that suggests a much more mature, yet still concerning, dialogue within the business community.
The article, penned by BOSS Editor, Sally Patten, is about the skyrocketing price of cyber insurance, with premiums increasing by as much as 80% in the past twelve months, following a 20% rise in each of the two years before that.
In the article, my good friend and CEO of Honan Insurance, Andrew Fluitsma, is quoted as saying “There’ll be a number of insurance companies that won’t even look at a business that doesn’t have a bunch of security measures in place. They’ll just turn around and say, ‘we’re not going to insure you’.”
The article points to ‘rampant ransomware’ attacks as the main culprit, with Mr Fluitsma estimating that 38% of cyber insurance claims in the past twelve months were ransomware related.
In real terms, an SMB wanting to purchase $10M in cyber cover is up for approximately $60,000, an increase of $33,000 on the prior year. And larger businesses who are considered a higher risk, are looking at $350,000 per annum for a $20M policy, up from $194,000 the year before.
As a business owner, or executive leader, that’s a high price to pay on top of the myriad other insurances that businesses are faced with, and they’re all increasing too.
The escalating cost and prevalence of attacks is troubling, but the conversation around cyber risk insurance and the strong demand also signals a more mature conversation that’s now happening within the business world, recognising that cyber incidents do happen, so businesses are boosting investments accordingly to protect themselves. That’s a good thing.
In a similar vein, a recent Gartner study suggests that from 2020-2021, worldwide cybersecurity spend increased by 17.5%, and its’ 2021 CIO Agenda Survey showed that more than 61% of the 2,000 CIOs surveyed had increased their investment in cybersecurity that year. Again, it points to a mature and pragmatic recognition that although we might wish bad things wouldn’t happen, sadly we know they will. So, we need to plan and budget accordingly. The ostrich’s that choose to bury their heads in the sand and hope for the best, will pay a much more severe price. As the saying goes, “failing to plan is planning to fail”, and that means accepting the reality of the world and circumstances that we’re confronted with.
Prevention is always better than a cure, of course. None of us want to suffer through the horrendous circumstances and uncertainties of a cyber-attack. It’s literally an existential crisis. Aside from the physical costs associated with the incident itself, there’s the internal turmoil of communicating your situation with employees, your executive team, and the board. Not to mention business and supply chain partners, investors, and other critical stakeholders. The implications for customers, and the resultant damage to your company’s brand and reputation could be devastating.
Let’s be clear – you need cyber insurance. It would be foolish to roll the dice on such a critical decision. Many will be tempted to underinsure and hedge their bets. But even so, a robust and resilient cyber strategy with accompanying defenses are now non negotiables. As Mr Fluitsma suggests, most insurers won’t even consider issuing a policy if your company hasn’t got some fundamental measures in place.
Some may be tempted to baulk with questions about the willingness of insurers to pay out on policies and the implications on future premiums. We’ve seen that with the flood crisis across eastern Australia, as some businesses struggle to pay the incredibly high premiums, and others refuse to while they’re still waiting for past claims to be settled. But the analogy is the same. The floods and storms will continue to come, so despite the frustrations with the system and the processing of claims, the business owner and management are left to carry the can and to try to protect and salvage the business.
We mustn’t let the fear and frustration associated with the awfulness of these situations, dissuade us from addressing them, and planning for them. In a recent post about MailGuard’s email continuity and archiving services, we talk about the need for businesses to develop thorough plans (BCPs, DRPs, etc.). Cyber incidents are much the same.
Just as the businesses that have suffered through the floods are thinking about more than sandbags, but rather how their businesses and staff can work from different locations to continue operations and are actively moving stock to higher areas. You too must plan for the same disruptions in the event of a cyber incident. The AFR article that I mentioned points to just a few examples of the devastation that can occur, with Toll Holdings, Nine Entertainment, Taylors Wines and Levitas Capital, as just a handful of examples.
Insurance, while it has an important role, is clearly a last resort. Trying to put things back together after an incident is the last place you want to be. An airline doesn’t put all of its budget into slides, rafts, air masks, life-vests and parachutes. They employ trained pilots, engineers and maintenance crews who can anticipate every adverse scenario that they may be confronted with mid-flight. You should do the same.
Build out a pre-emptive and considered plan with your team. Engage expert partners that can provide additional support based on their first-hand experience and expertise. The time and investments that you make now, will position you for a more resilient path forward.
Nine out of ten cyberattacks start with an email. Speak to a MailGuard expert about the cyber readiness of your business, by reaching out to expert@mailguard.com.au, or call 1300 304 430.
One email is all that it takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
