The travel and tourism sector is among the most susceptible to cyberattacks, ranking third in incidents, according to the Trustwave 2020 Global Security Report.

With attacks becoming more common and increasingly sophisticated, the risk and impact of cyber-ignorance are escalating.

Given the growing sophistication of attacks, simply thoroughly investigating cybersecurity strategies in the aftermath of a cyberattack or focusing on meeting compliance obligations would not suffice; it would only lead to an endless cycle of spending, said GlobalData in a recent report.

The expert analyst said cybersecurity should involve contingency planning, outlining the immediate actions and post-breach responses a company should take if a cyberattack occured, and understanding a company’s current level of cyber risk.

Although these services are typically outsourced, companies should still invest in these services by creating strong partnerships with service providers to stay on top of vulnerabilities and ensure compliance requirements are met. 

General Manager of SATIB Insurance Brokers, Natasha Parry, agreed that the best way to protect a tourism business from cyber risks was to adopt a comprehensive and proactive approach.

“Despite your best efforts, you may still face a cyber incident that can cause significant damage and losses to your business. This is where insurance can help you. And provide you with a defined incident response process and access to leading experts who will help you with your breach.”

These experts include:

• An IT forensic team: They will come in when a company has a breach and help them get up and running as soon as possible. The team will investigate the cause and extent of the breach, contain and eliminate the threat, recover and restore your data and systems, and prevent future attacks.
• Legal experts: They will assist with liability issues and advise on a company’s legal obligations and rights, such as notifying customers, regulators, or law enforcement authorities. They will also help companies/individuals defend themselves against any lawsuits or claims from third parties.
• A reputation management team: They will assist with brand reputation damage. They will help those impacted communicate effectively with stakeholders, such as customers, employees, partners, media, etc. They will also help rebuild your business’s trust and credibility in the market.

Parry highlighted that an insurance policy would also cover various costs and expenses that might arise from a cyber incident, such as:

• Ransom payment: If a business is a victim of ransomware, the policy will cover the ransom payment to the hackers. The experts will negotiate with the hackers to lower the ransom amount and verify that they have the decryption keys. They will also try to decrypt the company’s systems without paying the ransom if possible.
• Business interruption: If business operations are disrupted or suspended due to a cyber incident, the policy will cover the loss of income and the extra expenses that a company incurs to resume normal operations.
• Data restoration: If data is corrupted or deleted due to a cyber incident, the policy will cover the cost of restoring or recreating your data from back-ups or other sources.
• Liability and compensation: If customers or other third parties suffer any harm or loss due to a cyber incident involving the business, such as identity theft, fraud, or breach of contract, the policy will cover the legal fees and the settlement amounts that you have to pay.

How to choose the right insurance?

Parry emphasised that cyber insurance was not a one-size-fits-all solution. Companies need to choose the right insurance for their business that suits their specific needs and budget.

Some factors that need to be considered when choosing cyber insurance are:

• The scope of coverage: Businesses need to check what types of cyber risks and incidents are covered by the policy and what are excluded. They also need to check what types of costs and expenses are covered by the policy and what are not.
• The limit of liability: Companies need to check how much the policy will pay for each claim and for each policy period, and also check if there is any deductible or co-payment that you have to pay before the policy pays.
• The premium rate: It is important to check how much the policy will cost based on various factors, such as industry, size, revenue, risk profile, security posture, etc. Companies also need to check if there are any discounts or incentives that you can avail of, based on your security measures or practices.
• The claims process: Also check how easy and fast it is to file a claim and get paid by the policy and how responsive and supportive the insurer is in case of a cyber incident.