To paraphrase Benjamin Franklin, nothing is more certain than death, taxes and, nowadays, cyberattacks.
In addition, regulations, such as Law 25, is forcing companies to better protect the personal information they hold, otherwise they will have to pay extremely high penalties.
This means that in today's environment of ransomware attacks and relentless data breaches, cybersecurity, but also the financial protection to cover the costs of an unavoidable cyberattack, are crucial priorities.
Direct and indirect costs of a security incident
As illustrated below by Deloitte, security breaches can lead to visible and less visible costs such as brand devaluation and changes in consumer behavior.
And these two categories contribute to the weakening of your business and could even threaten its survival.
Managing the risk associated with cybercrime and human error is therefore, without a doubt, an essential necessity for all organizations, including SMEs.
But, once the risks have been identified and assessed, what are your options for managing them?
How to manage the risk?
Let's start by defining risk, in a simplified way, through the following equation:
Risk = Probability x Impact
To reduce risk, you need to reduce the likelihood or impact, using the mitigation strategies available to you.
|
Risk tolerance |
Definition |
Explication |
|
Avoid/solve the risk |
Completely eliminate or waive the risk |
It's about, when possible, refusing a risk if its potential impact is too great, even if you transfer or mitigate it. |
|
Mitigate risk |
Reduce the likelihood or impact of risk |
You can reduce the likelihood and impact of the risk by implementing the required security measures. |
|
Transfer the risk |
Shift the risk to a third party |
Risks that can have a significant financial impact are mitigated by being shared or transferred. |
|
Accept the risk |
Not resolving, transferring or mitigating risk |
The expenses incurred to mitigate the risk are greater than the cost of risk tolerance |
You can certainly decrease the probability, that is, reduce the chances that an internal or external threat will exploit one of your vulnerabilities.
But you can also act on the impact, in particular by transferring part of the risk to a third party, by taking out cyber insurance.
But what is cyber insurance?
The goal is to put financial protection in place to cover the costs of an unavoidable cyberattack, to keep your operations running smoothly and avoid significant financial losses.
Cyber insurance can cover cyber events, such as:
- Data Privacy Breaches: The loss and/or unauthorized access or disclosure of confidential or personal information;
Cyber extortion: A demand for payment under threat of compromising your data; for example, disabling your operations or compromising your confidential data; - Technological interruptions: a technological failure or a denial of service attack;
Cyber insurance can help victims pay for many expenses related to cyber attacks, such as:
- Civil fines;
- Damages;
- Investigations;
- Data restoration costs;
- Other expenses to restore business operations;
Types of cyber insurance
In general, there are 2 types of cyber insurance according to their coverage, namely:
- First-party coverage helps you respond to data breaches on your own network or systems.
- Third-party coverage helps pay for lawsuits caused by data breaches on a client's network or systems.
Cost of cyber insurance
You won't be surprised if I tell you: It depends!
Especially as times change. Cyber insurance used to be relatively simple - a few forms, extensive coverage, low premiums.
Today insurers carefully examine the risk profile of each applicant and price policies accordingly. And they often refuse to cover insufficiently prepared and therefore high-risk claimants.
The fact remains that the cost of cyber insurance is by far much lower than all the costs that you will have to bear in the event of a cyber attack or a data breach.
As a budget, for an SMB, the cost of cyber insurance is between $750 and $1,000 per year.
Although we help our clients comply with and exceed the requirements of insurers, Present is not a broker, we leave it up to you to contact your insurers to obtain a personalized offer.
Here are some factors that influence the cost of your premium:
- Activity sector;
- Company size;
- Amount and type of sensitive data in the environment;
- Revenue;
- Claims history;
- Type of coverage desired;
- Desired level of coverage;
- Security controls in place such as:
- Multi-factor authentication;
- Advanced and Managed Endpoint Security (MDR);
- Updates to operating systems and applications;
- Staff awareness;
- Regular backups, local and remote, tested and integral;
- Disaster recovery planning;
And in the event that you managed to take out a cyber insurance policy without extensive verification, pay attention to the fine print. Just because you have insurance does not mean that you do not have to put in place the appropriate security measures or those specified in the contract.
Conclusion
Like most companies, you cannot afford to have a contingency fund to cover all the costs caused by a cyberattack.
The best approach for SMBs then is to have a proactive security strategy and balance it with cyber insurance.
But realize that your acceptance and the amount of your insurance premiums are directly related to your level of cybersecurity preparedness. In this sense, cyber insurance can no longer be treated solely as a risk transfer mechanism.
Present can help you develop a cybersecurity strategy to counter threats and increase your level of security in a managed mode.
By doing so, you are filling two needs with one deed. Like many of our customers, not only do you raise your level of security and reduce your exposure to risk, but you also benefit from a cyber insurance policy with the best possible terms.