It's an interesting comment about "does not have Cyber Insurance". Like many of us, having operated in the tech sphere for some time and looking at it, there are usually enough holes in a cyber policy to drive a bus through and they're simply not worth the paper they're written on. Whilst I don't seek to support/endorse or pillory Medibank for their action or inaction (immediate, historic or in response), I do question whether the monies anyone directs at a cyber policy shouldn't be better spent on their aptitude and attitude towards internal protection. My research on a recent offering from a major player shows it:
• Not covering any taxes, fines or fees incurred as a result of a breach (PCI, ICO, etc);
• Only covering “legally payable Cyber extortion” (not to countries such with which you shouldn’t trade, from which the attacks often originate);
• Not covering if you’ve had any understanding of the ingress route, which could be leveraged to suggest as you had DLP tools or similar provided as part of a Microsoft agreement, that you should have had understanding of any route;
• Wording meaning that proving a Cyber Threat is “credible” is critical to gain action, yet having not acted on it would be negligent should you be attacked;
• Covering just the first 48hrs of an Emergency Response;
• Voiding coverage if an incident is internally perpetrated;
• Not covering any losses of Intellectual Property via Cyber, or financial losses because of losses of IP via Cyber;
• Contains a clause worded in such a manner that if ingress was via a user clicking a link or having poor password hygiene, it would void the coverage for the incident, and human error causes 95% of cyber breaches;
• Force-majeure is not covered (as usual) which in turn could feasibly be leveraged to cite that if a company the scale of Microsoft, the majority of a good number of SME IT provision, had issues that contributed, it could be stretched to suggest this nullifies a claim; and
• Contains a clause which repeatedly cites “Direct result” which has been leveraged by insurers in the past where possible to pay nothing.
When the annual cost of an SME policy with inherently lower liability could equivalently fund a programme of internal education, a discrete edge mail-filtering service from a major player and a "traditional endpoint AV" type solution and simultaneously has such little likelihood of providing value, I question why many look for one other than ticking a peace-time box with an executive board that hasn't been educated as such?