Article by latest.insure
Globally, a cyber breach to professional services businesses cost an average AU$6.77 M per company in 2023, according to IBM’s most recent data breach report. For businesses with fewer than 500 staff, the average cost was marginally lower at about $5M.
Crucially, it takes businesses from all sectors an average of 204 days to identify the breach, then another 73 days to contain it.
If you’re relying on your firm’s internal security teams and tools to identify the breaches, they’ll miss two-thirds of the attacks, IBM says. You’re more likely to find out about the breach from a benign third party of the cyber attacker.
This is a cyber hacker’s priority list: data about customers, employees, intellectual property, then anonymised customer data and other corporate data.
The Rising Threat of Data Breaches in Professional Services
Cyber criminals are becoming increasingly sophisticated. They spread their nets wide to sell data and use it to extort businesses, organisations, governments, and individuals. Typically, hackers’ motivations are criminal, political, personal, and centre on financial gain, says IBM. Most, though by no means all, operate from outside the companies they attack.
Rising threats of data breaches in the professional services sector include:
- Phishing or stolen or compromised credentials (these take the longest to resolve – almost 11 months on average)
- Unknown vulnerability
- Cloud misconfiguration/security
- Business email compromise
- Social engineering
- Weak security for staff/contractors working remotely
- Ransomware
- Physical security compromise
- Breaches through supply chains.
Surprisingly, businesses that use artificial intelligence and automation extensively save on data breach costs. They can identify breaches quicker and contain them 100 days faster on average than those not using this tech.
Understanding Cyber Insurance
A cyber insurance policy helps minimise the financial risks of operating a business online. In essence, you’re transferring some risks to the insurer.
But it’s not set-and-forget for those risks. The cyber security landscape is dynamic, so policy terms and conditions must be to match.
Cyber insurance, also known as cyber security insurance or cyber liability insurance, aims to protect your professional services firm from the compromise, theft, or loss of the electronic data you’ve collected. Coverage generally will:
- Protect you against cyber risks
- Help you deal with cyber attacks and incidents through expert advice
- Offer financial support for damage cyber incidents cause, such as investigation costs, credit monitoring services, possible legal responsibilities, etc.
- Fund lawyers to deal with the fallout of your firm’s data breaches
- Demonstrate to your customers and regulators that your business takes cyber security seriously
- Provide support to bolster your system – repairs, or replacement, for instance.
However, here are the exclusions to a cyber insurance policy:
- Insiders or employees causing the cyber events
- Infrastructure failures
- Loss of your intellectual property value
- Pre-existing breaches or those that happened before you bought the policy
- Failure to fix a known vulnerability.
Cyber Resilience Best Practices
The Australian Securities & Investments Commission lists 11 good cyber security practices (you’ll also find more tips under ‘useful links’ below).
These comprehensive practices cover strategy, governance, risk management, threat assessment, collaboration and information sharing, asset management, protective measures and controls, detective systems & processes, plus planning your response and recovery.
The Federal Government has allocated $7.2M in funding to set up a voluntary cyber health check program for small businesses. The government is also in the process of setting up its Small Business Cyber Resilience Service – so watch this space for updates.
There’s only so much your professional services firm can do on its own to manage cyber risks. Talk to us about how cyber insurance can be part of your risk management arsenal.