The Real Risk – No Time and Vague Responsibility
When I began the discussion with clients on the topic of cyber insurance for their business, the biggest challenge I have is not that they are unaware of the risk. The biggest obstacle I’ve realized working from the ground up, is that amongst the many urgent “to-do” priorities for today, there is a lack of time to address this important but not urgent matter.
To make matters worse, the line of responsibility may be vague in many SMEs, especially when many departments are already multi-tasking. My interest in cyber insurance started when a client of mine who is the CEO wanted to find out if their business is sufficiently protected. When I started to discuss this with other business owners, I realized that this responsibility may be handled by the department that is in charge for insurance matters (e.g. human resource), the head of IT or even an administration executive who is multi-tasking. In extreme cases, no one is taking responsibility because it was assumed that someone else is looking after cyber risks.
Start Small – Something is better than Nothing
The good news is that a delay in implementing cyber insurance is not fatal as the occurrence of cyberattacks are not high, at least for now. The bad news of course, is that cyberattacks are trending up and if we are going to be glass half empty about it, it may well be a matter of time before your business becomes a victim.
To get started on exploring the possibility of implementing cyber insurance for your business, you can use this “Guide to Cyber Insurance Premiums for SMEs (less than $50 million in revenue)” [updated 26 Aug 2020] which provides an indicative insurance premium for your business. This can help you to decide if the time is right for you to transfer this emerging business risk to an insurance company instead of absorbing the risk within the balance sheet of the business.
Let me end with a question. If the business was not sufficiently insured and a cyberattack resulted in a major financial loss to the company, who is really responsible? Is it the head of department for IT? Or whoever is in charge of insurance within the company? Perhaps, the responsibility should lie with the directors or the C-suites?
I’ve recently completed a training and the main message is that everyone is responsible for the cyber health of an organisation because anyone can be a reason and a cause for a cyberattack to happen. It is then that I realised that when it comes to managing cyber risk, avoidance is not an option. And when we cannot avoid something, we better manage it carefully.
Good luck, stay safe digitally and when the time is right, have your cyber insurance properly implemented!
Article by Lee Meng
The writer is an Executive Financial Services Consultant representing GEN Financial Advisory