Should backup be a cyber insurance prerequisite?
03 May 2018
Last year saw a surge in cybercrime which surpassed previous years, highlighting the importance of having proper, continually updated security measures in place. Data’s increasing value and the advent of regulatory measures around data protection have pushed the protection of company and personal information, in the face of rising cybercrime, to the fore for South African businesses.
As a result, many organisations are exploring the benefits of taking out cyber risk insurance, or Cyber Liability Insurance Coverage (CLIC), to protect against the financial damage of data loss. However, cyber insurance may help you to recover from the financial impact of data loss, but, cannot assist with recovering lost data, or reputation damage. Once lost, data simply cannot be restored. Unless you have backup in place.
Risk and responsibility
Businesses are responsible for the loss of any data that they possess. For their own data, the risk lies in the dissemination and use of potentially confidential proprietary information. For loss of customer data, the risk to the business is that much greater. Customer personal information loss due to theft, breach or accidental can lead to a reputation for carelessness and poor security, loss of existing and new revenue, and potential law suits for negligence or privacy infringement.
Regulations such as the Protection of Personal Information (PoPI) Act and the General Data Protection Regulation (GDPR) have created legislation around how businesses protect, use and store their customer’s, supplier’s and employee’s personal information. The impact of non-compliance is high, with fines of up to R10 million and imprisonment for PoPI infractions, and a fine of up to 4% of the business’s annual global turnover for GDPR infractions – this excludes personal law suits filed by individuals who are impacted.
Cyber risk insurance covers businesses for any financial losses incurred due to a cybercrime or data breach. This extends to payouts for covering operational interruptions, public liability law suits, and even reputation reparation. Insurance does not cover recovery of data that is irretrievably lost.
For insurance companies, there exists the opportunity to collaborate with data management or IT companies to provide ancillary services such as data backup that support cyber insurance policies. In fact, having adequate back up in place should be a prerequisite for any cyber insurance policy as it reduces the risk for both insurer and the insured.
Most cyber insurance policies require that organisations have proper security measures in place to prevent the loss of their data. From firewalls to comprehensive cyber security policies, the ability to demonstrate how well your data is protected helps to reduce the risk for insurers to cover you against loss of data. Still, data once lost is lost, and there is little that an insurer can do beyond covering costs incurred in the face of lost data.
Nevertheless, if the insurer were able to offer backup as a value-added service or insisted on proof of backup as a prerequisite for cover, not only would the risk of financial impact be lower, but the organisation would still be able to continue as it did before the data breach. There would still be costs, in the recovery of data, legal fees and reputation recovery, however the business would still have its data and could effectively continue to use the data as before.
Insurance companies can extend this value add by offering regular testing of backup facilities though partners and ensuring that businesses remain low risk.
This type of collaboration requires a shift in mindset, and for insurance organisations to bridge the gap between insurance and IT, closing in on an area where all parties stand to benefit. Organisations can be protected against data loss, both in the financial and real sense, and insurers can bolster their service offering to customers and create new streams of revenue. It’s a win-win, really.