The outcome of a recent legal dispute between Australian company Inchcape and insurance provider Chubb is a stark reminder for companies to reconsider the role of insurance in addressing the growing threat of ransomware.

The Federal Court ruled that Chubb was not liable for recovery costs following a ransomware attack as they did not qualify as “Direct Financial Loss” in relation to the policy agreement, leaving Inchcape to shoulder the costs of clean-up and recovery following a ransomware attack.

Australian companies are increasingly exposed to the threat of a ransomware attack, which can be disastrous. According to Sophos, 80% of Australian organisations were hit with ransomware in 2021, up from 45% in 2020. The average cost to an Australian organisation is AU$250,000 per incident.

Cyber insurance can be a helpful safety net for businesses, but it is not a complete solution. The Inchcape and Chubb ruling demonstrates that insurance can’t guarantee coverage of all the monetary losses and recovery costs associated with an attack.

More importantly, it will not cover the loss of goodwill, damage to your brand image, and loss of customer loyalty after an attack. Instead of relying 100% on insurance, organisations should pursue these three strategies to safeguard their data and ensure the business can continue operating.

1: Have a sound recovery plan

Moving data to a cloud provider in itself is not a guarantee of the safety and security of your data. Last year, a fire at the data centre of French web hosting service OVHcloud caused the loss of massive amounts of customer data. It impacted government agencies, e-commerce companies, and banks, among others.

Backing up the organisation’s data to the cloud or on-premise is a critical and cost-effective first step in any disaster recovery plan. But it’s only the first step and needs to be complemented with a plan to quickly recover valuable data in an emergency. Testing their recovery plan often by simulating disruptions allows the organisation to see well their recovery plan works. Additionally, they should be regularly testing their backup images and fixing any problems.

2: Implement a backup and recovery solution

Cloud security is not solely the responsibility of your cloud provider. Cloud providers usually promise to secure their infrastructure and services but they will not guarantee the safety of your data. No matter what cloud platform you use, the data is still owned by the owner organisation, not the provider. Many cloud providers recommend that their customers use third-party software to protect their data.

Organisations can comprehensively secure their data with a reliable cloud backup and recovery solution. By implementing a cloud backup and recovery solution that automatically backs up the company’s information every 15 minutes and provides multiple points of recovery, organisations can better guarantee that their valuable data is continuously protected while having quick access and visibility to it 24/7.

3: Be proactive: be data resilient

Companies need to practise data resilience by having a recovery plan and testing it often. A data resilience strategy ensures business continuity in the event of a disruption. It is built on recovery point objectives (RPOs) and recovery time objectives (RTOs), and organisations should regularly test to guarantee that the RPOs and RTOs can be achieved.

RPO determines backup frequency, and in essence, measures the company’s tolerance for data loss. Some organisations can tolerate a data loss of 24 hours, so they back up their data every 24 hours. Their RPO is 24. Other organisations, such as those in finance and healthcare, absolutely cannot tolerate a data loss of 24 hours. Their RPOs are set to milliseconds.

The RTO measures the downtime an organization can accept between a data loss and recovery. It’s how long they can be down before the business incurs severe damages. The RTO determines the company’s disaster recovery plan investment. If their RTO is one hour, they need to invest in solutions that get them back up and running within an hour.

Establishing your RPO and RTO and then implementing the solutions needed to achieve them are the keys to data resilience.

We live in a world of growing cybersecurity threats, more frequent natural disasters, and black swan events arriving in flocks. Organisations purchasing cyber insurance need to realise that this type of insurance alone does not constitute a data protection plan. It is best viewed as a complement to their backup and recovery efforts. Never consider it a replacement.