2023 November 01
Often when we are reviewing an SME client’s insurance programme, we get asked if they really need cyber insurance.
If you are a small business who is questioning why you may need cover for cyber breaches, here are some things to consider.
Anyone who uses a computer is fair game when it comes to a cyber-attack – whether you are doing online shopping, transacting business, or even sending an email.
Unfortunately, we only tend to hear about the big cyber breaches in the media, when the reality is that attacks on SMEs are becoming more common. In fact, they often make up a large proportion (if not the majority) of insurer claims. One of the main reasons for this is because SMEs don’t necessarily have the resources to invest in top-of-the-range IT-security and are therefore easier targets.
SMEs may think that, because of their small size, there is not much worth stealing, and so may not have strong IT policies in place, if at all. Cyber criminals however don’t usually just target one organisation, they attack multiple businesses simultaneously. Therefore, they only need a little bit from many entities to make it worth their while.
It is interesting to note also that not all cyber-attacks are financially motivated. Earlier this year, a 17- and 18-year-old in London were in court having hacked into Uber and Rockstar Games Inc.’s unreleased Grand Theft Auto sequel.
It is said that these attacks were more about notoriety. The prosecution said that it was “a juvenile desire to stick two fingers up to those that they are attacking,” whilst the defence was that they were “the efforts of silly teenagers out to get a laugh”.
Meanwhile, a single attack can cause major damage to a small business, with the costs involved in managing and remediating the attack quickly adding up. Businesses can incur expensive legal and notification costs, not to mention the reputational risk and the hours wasted by business owners and employees to have to clean up the damage caused.
We often hear that cyber insurance is not required because “my IT provider takes care of everything and is therefore liable for any losses”, which isn’t strictly true.
The other misnomer is that “I’m only a small business so losses won’t happen to me” or “the regulations don’t apply to me”. As we noted above, attacks on SMEs are becoming a lot more common and yes, under the Privacy Act 2020, if you have a breach, you have responsibility. In fact, the Deputy Privacy Commissioner recently said in a statement that even small businesses that digitally manage personal information can expect to be found in breach of the Act if they experience a cyber-related privacy breach and don’t at least have minimum security requirements in place.
The question is, are you prepared to take that risk? Can you afford not to have cyber insurance and therefore remain exposed?
Need some help understanding what your cyber risks are? Please reach out to our liability specialists on insurance@icib.co.nz or phone 09 377 4314.