As a business you will likely already have a range of insurance plans and policies in place from employer’s liability to professional indemnity insurance – but what about cyber insurance?
In 2022 we are experiencing a heightened risk of cyber threat following a period of accelerated digital transformation which has left many organisations with gaps in their cybersecurity. As such, now more than ever a smart cyber insurance policy can provide much-needed support in managing the financial and reputational repercussions of a cybersecurity breach.
Why you should consider cyber insurance
- Cyber insurance generally covers losses relating to the damage of, or loss of information from, systems and networks as a result of a cybersecurity breach.
- Cyber insurance can help to manage cyber attacks and provide support during and after the incident.
- The support from your cyber insurance policy can cover financial losses, as well as reputational damage and regulatory enforcement.
- It can provide cybersecurity support and expertise that might not be available within your organisation.
- Insurance may also help with recovering compromised data, repairing damaged systems, and managing affected customers/clients.
Why now?
Reports are showing that cyber insurance premiums have increased significantly in the last 12 months – with prices up by 130% in the US and 92% in the UK at the end of 2021 (Marsh Global Insurance Market Index). This is likely in response to some high-profile attacks, with significant financial costs to organisations that have reached the millions, and critical organisations within the public sector being particularly susceptible to attacks due to the highly sensitive information they handle. (40% of the incidents managed by the NCSC in 2020/21 were aimed at the public sector.)
While premium costs will likely be a significant investment to organisations, they do seem to be a reflection of the potential severity of cyber attacks – remember if you experience a cyber attack the costs are not only financial but also reputational. So, with cyber insurance prices predicted to continue increasing year on year, now is the time to think about securing a policy that will provide the best support to your organisation in the event of a cyber attack.
Three steps to securing cyber insurance
Here are three steps that will help your organisation meet the requirements for securing cyber insurance and get the most out of your policy.
1. Assess your security posture
When purchasing an insurance policy, you will be required to provide information about your organisation’s existing security controls, for example the technical, procedural and human controls you have in place. Your organisation will need to make sure it allows for this with the appropriate resource to accurately source, manage and compile this information. This process will inform cyber insurers as to the maturity of your current security posture and will help them to build a policy that is suitable for the level of security you already operate with.
A thorough assessment and understanding of your current security posture will ensure that you receive the most relevant cover, and that you’re only paying for the cover, services and support your organisation requires. On the flip side of this, it will also highlight what essential cover you will need that you might not have previously considered.
This step also acts as a good evaluation of where you’re at with your cybersecurity – remember insurance will not prevent you from experiencing a security breach so cybersecurity maturity should still be essential to your organisation’s ongoing digital strategy and overall business objectives.
2. Identify priority assets and infrastructure
The whole point of having cyber insurance is to protect what’s most important to you as an organisation, so you want to make sure the policy and provider you have will be able to cover your priority assets and infrastructure in the event of a cyber attack. While most providers will probably specify a set of minimum cybersecurity requirements your organisation will have to meet, limiting yourself to the bare minimum may not be sufficient for your organisation so it’s essential to identify where your cybersecurity priorities lie.
At this step you should also consider the significance of not just damage or loss to any physical assets, but also the repercussions of breaches to service delivery and reputation. How important is it to your organisation that you continue, or reinstate, service delivery as quickly as possible following a breach? Does your provider have the cyber skills to support this? Likewise, would reputational damage be more costly to you in the long-term versus the initial costs of a breach of data or information? If so, you may want to align with a provider that has experience in PR and managing high-profile attacks.
3. Review your cybersecurity defences
In a similar vein to the first step in this short guide, a review of your current cybersecurity defences can be incredibly beneficial prior to investing in cyber insurance. This is because the defences you have in place as an organisation can influence your liability in the eyes of insurance providers. If your organisation already has recognised or certified cybersecurity defences in place, some insurers will offer discounts or reductions in price – so make sure you have a thorough overview of these. They might look like:
- Cyber Essentials or Cyber Essentials Plus
- ISO/IEC 27001
- Managed Detection and Response (MDR)
- Next-generation firewalls
A comprehensive risk management strategy will also demonstrate that your organisation is proactively managing how it can more effectively defend against cyber threats. In addition to lowering premiums, this lets your providers, customers and partners know that you’re taking your cybersecurity seriously.
The takeaway: be responsible for your cybersecurity
Cyber insurance should be tailored to your organisation, the industry it operates in and its security posture but policies can vary greatly. Some may cover attacks from new types of threats as well as offer consultancy and risk management support, but it will be up to your organisation to ensure it has a policy in line with essential priorities and objectives. In addition, most policies will be reviewed every 12 months so you will be required to maintain accurate and up-to-date information otherwise you could risk invalidating any claims.
Cyber insurance is a worthwhile addition to any organisation’s cybersecurity, and for some it will be essential. The important thing though is to remember that your organisation alone is responsible for its overall cybersecurity maturity, and unfortunately no level of cyber insurance will prevent cyber attacks from happening – but it can greatly minimise the impact on your organisation.