Cyber Insurance for SMEs – When Should You Start Implementing?
This headline from a recent article about a report from the Cyber Security Agency of Singapore(CSA) is both sobering and real. Businesses in many shapes, forms and sizes have been affected by cyber-attacks. From hotels to entertainment outlets or airlines to insurers, the possibility and probability of having a cyber breach is no longer a risk that can be ignored or neglected.
Cyber risks are defined as “any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information systems”. To a layperson, cyberattacks may just be about having your computer systems infected with virus but in reality, hackers have many methods to create disruption.
Recently, a business owner client of mine enquired if their “Industrial All Risk” policy covers “PDPA” claims. Specifically, the client is concerned that if there is a data breach and their business is ordered to pay a big fine (up to $1,000,000 or as the PDPC deemed fit under the Personal Data Protection Act), can their company’s insurance policy cover the amount that have to be paid. I helped reviewed their insurance policies and not surprisingly, the particular concern about fines from Personal Data Protection breaches are not covered. In fact, insurance policies do not cover fines for offences under the Personal Data Protection Act in Singapore.
Yet, fines are not the only thing to be worried about when your business suffers a cyberattack. There are many other immediate hot-potato items to deal with before arriving at the stage of paying a financial penalty.
3 Stages of Being a SME Cyberattack Victim
A simple way to understand the risks and problems that can affect a business that a cyberattack can cause is to think of it as the following 3 stages:
Stage 1: Interruption (Take a break)
While a cyberattack is unlikely to permanently shut down a business, it can most certainly shut down the business temporarily. This is especially so when the business generates revenue digitally by accepting business orders or collecting payment online. While the business income stops, the business costs will not. Staff needs to be paid, fixed expenses needs to be met and borrowings have to be serviced. All these will mean an immediate and irrevocable financial loss at the initial phase of being compromised.
Even if the business is more of a brick and mortar business, operations may still be disrupted due to the next stage.
Stage 2 : Remediation (Make the changes)
This is the big unknown with no cookie cutter approach. Upon a cyberattack, there are immediate remedial actions that need to be taken and the scale of work needed depends on the scale of the attack. From hiring data forensic experts, replacement of hardware and software, informing of affected parties which may include hiring external vendors such as call centers or even public relations consultants, there are both financial and time-based costs incurred to recover the business to where operations are the same as or better than before the attack.
Most businesses do not have the remedial expertise in-house and outside specialists and service providers will be needed which may come at a premium price, especially when it is at a time of need. Some of the remedial actions are essential to get the business up and running safely(e.g. replacement of hardware or software), other remedial actions may be required by law (e.g. reporting of cyberattack with accompanying forensic analysis) and this will lead naturally to the next stage.
Stage 3 : Liability (Pay the price)
After the damage have been done and despite the business being a “victim” of a cyberattack, there may be affected parties who suffered as “collateral damage”. They will seek to recover losses from the business and this will create legal representation costs, settlements and awards. These public and third party liabilities are in addition to the fines that may be imposed.
This is where PDPA fines will come in and by now, you may probably recognize that the fine is only a part of the many potential financial obligations that a business can incur should it be the unfortunate victim of a cyberattack.
The Right Time to Be Serious about Cyber Insurance
There is no best time to implement cyber insurance into your business insurance portfolio until you know exactly when a cyberattack will happen to your business. On one hand, cyber insurance is an additional cost that your business may not be able to take on at this point in time. On the other hand, the potential financial obligations may potentially deal the business a fatal blow that it may not recover from. This is the common dilemma many businesses face.
In my opinion, here are the 3 guidelines that you can consider to determine if you should be implementing cyber insurance into your portfolio:
1. Your business revenue is generated digitally
There are different ways to manage a risk. The safest way is to avoid the risk totally so if you are concerned about being in a motorbike accident, you can avoid getting on a motorbike. However, if you are in the delivery business and you have to ride a motorbike to do your job, you can’t avoid the risk and will have to resort to the other risk management tactics – risk mitigation and risk transference.
Just like riding safely and being comprehensively insured is important for every motorbike rider on the road, good cyber habits and cyber insurance is essential for every business that generates revenue digitally.
2. Your business collects and stores data
We understand now that data is valuable and there are people out there that are willing to pay good money (legally or otherwise) for quality data. Cyberattacks are not carried out as a hobby or for recreation, cyberattacks are carried out because there is a financial payoff at the end of the day. Unfortunately, many businesses cannot operate without collecting and storing data of some sort and again, if the risk cannot be avoid, it may have to be transferred using Cyber Insurance.
3. Your business is at the “Success” Stage
Typically, businesses go through 3 stages of growth (i.e. Survival, Success and Significance). At the survival stage, there are too many urgent matters to take care of and cyber insurance, despite its obvious importance, will have to take a back seat to the other “life and death” matters. When the business takes off and enters into the “Success” stage, a week of business interruption may well cost more than the annual premium of a cyber insurance policy. There is much more to lose than to gain from the savings from not implementing a comprehensive cyber insurance plan not to mention affordability may no longer be an issue.
The Real Risk – No Time and Vague Responsibility
When I began the discussion with clients on the topic of cyber insurance for their business, the biggest challenge I have is not that they are unaware of the risk. The biggest obstacle I’ve realized working from the ground up, is that amongst the many urgent “to-do” priorities for today, there is a lack of time to address this important but not urgent matter.
To make matters worse, the line of responsibility may be vague in many SMEs, especially when many departments are already multi-tasking. My interest in cyber insurance started when a client of mine who is the CEO wanted to find out if their business is sufficiently protected. When I started to discuss this with other business owners, I realized that this responsibility may be handled by the department that is in charge for insurance matters (e.g. human resource), the head of IT or even an administration executive who is multi-tasking. In extreme cases, no one is taking responsibility because it was assumed that someone else is looking after cyber risks.
Start Small – Something is better than Nothing
The good news is that a delay in implementing cyber insurance is not fatal as the occurrence of cyberattacks are not high, at least for now. The bad news of course, is that cyberattacks are trending up and if we are going to be glass half empty about it, it may well be a matter of time before your business becomes a victim.
To get started on exploring the possibility of implementing cyber insurance for your business, you can use this “Guide to Cyber Insurance Premiums for SMEs (less than $50 million in revenue)” [updated 26 Aug 2020] which provides an indicative insurance premium for your business. This can help you to decide if the time is right for you to transfer this emerging business risk to an insurance company instead of absorbing the risk within the balance sheet of the business.
Let me end with a question. If the business was not sufficiently insured and a cyberattack resulted in a major financial loss to the company, who is really responsible? Is it the head of department for IT? Or whoever is in charge of insurance within the company? Perhaps, the responsibility should lie with the directors or the C-suites?
I’ve recently completed a training and the main message is that everyone is responsible for the cyber health of an organisation because anyone can be a reason and a cause for a cyberattack to happen. It is then that I realised that when it comes to managing cyber risk, avoidance is not an option. And when we cannot avoid something, we better manage it carefully.
Good luck, stay safe digitally and when the time is right, have your cyber insurance properly implemented!
Article by Lee Meng
The writer is an Executive Financial Services Consultant representing GEN Financial Advisory