It was not long ago that a company's cybersecurity plan was centred around the IT department, keeping internal networks protected and staying alert to malware and virus threats. Now, the risks have evolved: as companies have moved to more cloud computing solutions, Software as a Service providers and internet-enabled systems, they face more exposure to both internal and external risks. If your company has not identified your potential risks and implemented a comprehensive risk mitigation strategy that includes cyber insurance, you could be facing expensive consequences.

Who Connects to You?

Does your company use outside providers for software services, such as cloud computing, data analytics, HR or payroll software? How does a data breach or software failure at their end affect your business? Are you responsible to your clients or customers for a breach of someone else's system? Review your vendor contracts for these services to ensure that you are indemnified for a breach of their security. There should also be clear language in the contract about how and when they must inform you of any breach so that you can take appropriate action to protect your business and your clients.

What Connects to You?

The Internet is no longer just about connecting computers to one another and hosting websites. The Internet of Things (IoT) is expanding rapidly, and there may be connected devices used in your day-to-day operations that you are not even aware of. Security systems, climate controls, driver tracking and other business tools use connectivity that makes them potentially vulnerable to cyber attacks. Some IoT devices have built-in security measures that protect privacy, while others may create risks for your company. Assessing these risks should be part of your overall cybersecurity strategy. Using "privacy by design" principles and conducting privacy impact assessments (PIAs) and threat risk assessments (TRAs) can help with your overall risk assessment and risk mitigation strategy.

How Can You Protect Your Business?

Cyber insurance is an important tool that can help to transfer some of the risks associated with cybersecurity. The types of costs that can be mitigated through cyber insurance include:

  • Legal fees: This includes running investigations, sending out notifications of a breach and working with regulators.
  • Investigations and recovery: Understanding what happened and how to quickly get back to normal operations can be a costly process.
  • Crisis management: You may need to engage public relations experts and crisis management consultants to manage the company's reputation in the wake of a cyber breach.

Of course, insurers are always looking to minimize the chances that they will need to pay out on a policy. In order to keep your premiums as low as possible, it's important to understand and reduce your risk level. Insurance firms may ask if you have reviewed your contracts with the providers of your IoT devices to guarantee that these devices have built-in security and confirm that you have included indemnity clauses. They will assess whether vulnerabilities in one IoT device will lead to vulnerabilities throughout your business and whether you have layers of technology or security in place to ensure that this cannot happen.

The insurers will use a questionnaire to make sure your risk profile is as low as possible so that you can get the best possible premiums. Have you implemented comprehensive pre-breach risk mitigation strategies that include board coaching, employee training, vendor contract management and cloud security? The more you can do to prevent a breach, the lower your cyber insurance premiums will be.

If you're unsure where to begin, the cybersecurity team at Miller Thomson can help you to understand where your business may be exposed to cybersecurity risks and how to improve security and prevent breaches.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.