This program was designed to help small businesses defend themselves from cyber incidents and cyber risks from a financial perspective. How can they reduce the costs of a severe cyber incident, or offload that cost onto an insurer, while avoiding lawsuits, regulatory fines, and lengthy business downtime.
The solution to these is a combination of technical, legal and financial risk mitigations, which requires multiple c-suite persons involved to resolve the issues for a small business.
The legal module focuses primarily on contract law and the liability responsibility a party takes, how can the small business reduce their liability while remaining fair to both signing parties. At a higher level, a business contract can expose liability or reduce it for either party, and a small business should accept the risks they should be responsible for, but nothing beyond that, and this module teaches them how to do that.
The legal module also covers vendor and third-party contracts, and integrates with the insurance module for subrogation rights or waivers. When you sign a vendor contract, what responsibility do they take if a cyber incident occurs that they are responsible for. And this is very important in terms of insurance claims, lawsuits, and ultimately who takes ownership.
This module dives into the important concepts of contract terms, and has been reviewed by a professional law firm here in Canada. We stand behind the advice this module provides.
The Insurance module focuses on obtaining or changing your cyber insurance to suite your needs, it dives pretty deep into underwriting and insurance termniology. Use insurance as a tool to leverage a small business into a better financial situation during a severe cyber incident. The costs statistically are quite high, $4.2 million for a serious ransomware attack even to small business.
Offset the costs of downtime, brand and reputation, damages, and day to day business costs with a proper insurance policy from a good insurer. It should be noted in order to become eligible for purchasing cyber insurance from a reptuatable insurer, there are cyber security requirements needing to be implemented, and going through this process will inevitably improve a small businssess security posture, not for the sake of doing it, but because they have to in order to become eligible to buy cyber insurance, and also to save on premiums. This is what we call the CEO incentive to improve security.
The Recovery module focuses on incident recovery and response from a small business perspective, and this ultimately covers properly configured backup strategies, and restoration testing. When a company can quickly recovery its critical operations without becoming reinfected during that process, they reduce not just their cost of downtime but reduce the hit to their reputation as well with customers, partners and investors. It's one thing to get hacked - these days it is almost expected by most businesses, but its another to go out of business from being hacked and not be capable of recovering. This module will prepare a small business and also guide them through that process.
Included with this module in the courseware is the incident recovery and response plan template, that the small business fills out while reading through Book 3, which leaves them in a very prepared state to handling cyber incidents in their business. That plan covers strategy on how to handle the response, evidence collection, severtiy classification, escalation processes, and more.