How Cyber Insurance helps you manage the True Cost of a Data Breach

How low can you go? 

When it comes to cyber insurance, organisations may get fixated on the costs in front of them – insurance premiums – versus the potential cost of administrative fines for data breaches, which can now be as much as $1 million and beyond.

But if you ask Andrew Lai, Chief Operating Officer of Anapi, a digital insurance brokerage that caters to startups and SMEs, they should look at the bigger picture.

“A lot of clients focus on the premiums they are paying, instead of the fines incurred for breaching the PDPA (Personal Data Protection Act).

“And they tend to forget that most of the costs and the claims paid out by insurers are actually for lost business and extra expenses.”

Get our free guide on Preparing for a Data Breach with the help of a data protection management tool. Log in as a DPEX Network member (sign-up is free) to download.

Fines are not your biggest concern

According to Lai, the fines levied by regulators, such as the Personal Data Protection Commission (PDPC) in Singapore or the National Privacy Commission (NPC) in the Philippines, “are always the smallest part of a cyber insurance policy when it comes to claims paying out.”

“[Compensating for lost business and additional expenses] is a key component of the claims and that's why you're paying the premium,” he added.

Lai spoke to DPEX Network about the trend from the past year, that insurance premiums are increasing, and the fact that the cost of getting cyber insurance is expected to continue to rise in the next 12 months.

“Documentation is also getting more technical, the forms and underwriting requirements are getting larger and more sophisticated. But insurers are not unreasonable. If you can give them a good reason why, and they believe the reason is valid, they will accept how you defend your clients' personal data [and adjust premiums accordingly].”

Get our free Data Protection Impact Assessment (DPIA) Cheat Sheet. Log in as a DPEX Network member (sign-up is free) to download.

Go through underwriting to spot gaps in your data protection

Lai also advised organisations that are yet to take up cyber insurance to take the underwriting process in the right spirit, as it can be a useful exercise that informs your data protection plans.

“You should treat the cyber underwriting process as a key summary of what insurers have discovered with their client bases: what is causing a lot of breaches and where the breaches are most dangerous.

“And if during the underwriting process, you keep thinking, ‘No, I don't have this, or, no, I don’t have that," then it is a red flag that maybe your cybersecurity posture is not as strong as you think,” he said.

“If, for example, you do not have multi-factor authentication on your emails or on your key backups, there's a very high chance that a breach will likely occur. And, if it does, it will be very damaging to your business.”

Stay tuned for our upcoming webinars and events on data governance by following us on Facebook and Linkedin.

The true value of cyber insurance

Going back to how organisations view cyber insurance premiums, Lai highlights the importance of acting in a timely manner as part of an adequate data breach response.

“What you're also paying for, and I think what the real value of cyber insurance is, is the early crisis response by established cybersecurity providers,” he said.

“We can give you expert PR, IT and legal advice. We can show that if you're able to come in early with the right PR messaging, the right IT, and the right legal advice in the early stages of the breach, you can actually control and contain a cyber security breach to a manageable extent.

“That's what the [cyber] insurance actually gives you. That's what's most important.”