And here’s why….
This week, the Australian Federal Court ruled in favour of a ransomware insurance provider. The court said the provider was not liable for covering the clean-up costs incurred after an attack on a client’s business, such as for forensics, incident response and replacement hardware.
For any proactive business owner, this decisive ruling acts as a firm reminder to implement top quality preventative IT measures to guard against cyber-attacks.
The Judge presiding over the Australian lawsuit explained, “It is not any ‘loss’ which is covered. It is only ‘direct financial loss’ [and the cover] is also subject to the exclusion of any indirect or consequential loss”.
Basically, how a business owner responds to an attack and the resounding costs fall back onto them. A complete ‘cure’ to a ransomware attack does not necessarily come under the category of harm done by the attack itself. This grey area can leave a business out of pocket potentially hundreds of thousands of dollars.
In this week’s lawsuit, the specific policy covered “blank media” only, which represented only a small outlay of costs incurred directly from the attack itself. No other recovery costs qualified for additional compensation.
Some commentators speculated that the lawsuit and insurance policy in question was not actually specific to cyber-attacks.
It’s also been noted that cyber insurance in Australia is still very much in a developmental phase and experiencing quite a few teething problems.
The lesson learnt for business owners is “cyber insurance” should represent only one component of a much wider, multifaceted cyber risk management strategy. Don’t simply have a reactive, bandaid solution such as insurance and call it a day.
We know most insurance policies – regardless of the subject matter they cover – are usually open to wide interpretation. We have all gone through a review or investigation by one insurance provider or another in our lifetime.
Cyber insurance is no different. It pays to be across the fine detail and small print. It’s important to know what ISN’T covered, perhaps in some ways more than what is!
So, in short, ring your insurer and be sure you have 100% clarity by running different scenarios past your account manager. They should be able to give you a crystal-clear understanding about what happens if your business is hacked. If you feel any hesitancy at all, swap providers.
Things to consider are:
- Incident response cover (access to experts to help)
- Reimbursement cover (i.e. hardware & system replacement)
- Disaster recovery compensation
Insurers aside, T4 Group insists you look at the best preventative measures to decrease any cyber-attack risk to your business. Prevention is better than cure – a comprehensive and sophisticated cyber strategy protects your business best.
Please call us on 1300 765 014 for a more detailed discussion.