Cyber insurance is designed to help organizations minimize cyber risk by offsetting the costs involved with recovering from breaches or other security incidents.
Cyber insurance doesn't protect businesses against cyber crime, but it gives them a better chance to maintain financial stability if a serious security event does occur.
Cyber insurance policies can include first-party and third-party coverage. First-party coverage applies to losses sustained by the victim organization directly, such as loss of income, ransom or other extortion demands paid, notification costs and reputation damages. Third-party coverage applies to losses resulting from lawsuits by other organizations or people who claim to have been damaged by the incident, such as lawsuits over network security liability, network privacy liability and electronic media liability.
Cyber insurance can help organizations deal with the wide range of costs of dealing with a data breach: professional services like the forensic teams required to help clean up and discover what happened; the data recovery teams that work to recover compromised sensitive data; non-security services such as public relations to manage the story and to help interface with external stakeholders; legal services to manage possible lawsuits from vendors, partners, customers, or compliance and regulatory entities.
In Malaysia, we believe there is still a huge gap on SMEs purchasing cyber insurance. Unlike fire and burglary insurance where it is purchased by default owing to financial obligations, many companies are still taking a lackadaisical approach to cyber insurance.
Many could possibly be struggling to know what they need as well as what they are getting. Some might have the impression that with cyber insurance, they can use it to pay for a breach and with that policy in hand, they can ignore implementing a proper risk mitigation measures in their companies without realizing that if the company is found to be liable for the breach due to negligence such as poor security hygiene, it's generally unable to use its cyber insurance policy for recovering from the breach.
For those who are contemplating purchasing a cyber insurance, their innate fear of insurers trying to find some sort of loophole or leveraging a technicality to avoid paying out is real as the insurers could possibly or highly likely in their investigation into their claims would need the insured/claimants to prove the following, something which could be `missing' or lacking due to the ignorance and or lackadaisical attitude of the insured:-
An incident occurred (i.e. not just some lost data on a hard drive)
Have basic security and compliance protections in place and prove that the insured have been following them (weak user passwords apparently is not a justification and could be excluded)
Compliant with generally accepted regulations or guidelines by the respective governing authorities on managing cyber risks
So the question herein is - how to bridge the gap between the insurers and the SMEs to allow more buy in?