As a business, you will likely already have a range of insurance plans and policies in place, from employer’s liability to professional indemnity insurance – but what about cyber insurance?
In 2022, we are experiencing a heightened risk of cyber threats following a period of accelerated digital transformation, which has left many organisations with gaps in their cybersecurity. As such, now more than ever, a smart cyber insurance policy can provide much-needed support in managing the financial and reputational repercussions of a cybersecurity breach.
Why you should consider cyber insurance
- Cyber insurance generally covers losses relating to the damage of, or loss of information from, systems and networks as a result of a cybersecurity breach.
- Cyber insurance can help to manage cyber attacks and provide support during and after the incident.
- The support from your cyber insurance policy can cover financial losses, reputational damage and regulatory enforcement.
- It can provide cybersecurity support and expertise that might not be available within your organisation.
- Insurance may also help recover compromised data, repair damaged systems, and manage affected customers/clients.
Why now?
Reports show that cyber insurance premiums have increased significantly in the last 12 months – with prices up by 130% in the US and 92% in the UK at the end of 2021 (Marsh Global Insurance Market Index). This is likely in response to high-profile attacks, with significant financial costs to organisations that have reached the millions and critical organisations within the public sector being particularly susceptible to attacks due to the highly sensitive information they handle. (40% of the incidents managed by the NCSC in 2020/21 were aimed at the public sector.)
While premium costs will likely be a significant investment to organisations, they do seem to be a reflection of the potential severity of cyber attacks – remember, if you experience a cyber attack, the costs are not only financial but also reputational. So, with cyber insurance prices predicted to continue increasing year on year, now is the time to consider securing a policy that will provide the best support to your organisation in the event of a cyber attack.
Three steps to securing cyber insurance
Here are three steps to help your organisation meet the requirements for securing cyber insurance and get the most out of your policy.
1. Assess your security posture
When purchasing an insurance policy, you will be required to provide information about your organisation’s existing security controls, for example, the technical, procedural and human controls you have in place. Your organisation will need to make sure it allows for this with the appropriate resources to accurately source, manage and compile this information. This process will inform cyber insurers as to the maturity of your current security posture. It will help them build a policy suitable for the level of security you already operate with.
A thorough assessment and understanding of your current security posture will ensure that you receive the most relevant cover and that you’re only paying for the cover, services and support your organisation requires. On the flip side, it will also highlight what essential cover you need that you might not have previously considered.
This step also evaluates where you’re at with your cybersecurity – remember, insurance will not prevent you from experiencing a security breach, so cyber security maturity should still be essential to your organisation’s ongoing digital strategy and overall business objectives.
2. Identify priority assets and infrastructure
The whole point of having cyber insurance is to protect what’s most important to you as an organisation, so you want to make sure the policy and provider you have will be able to cover your priority assets and infrastructure in the event of a cyber attack. While most providers will probably specify a set of minimum cybersecurity requirements your organisation will have to meet, limiting yourself to the bare minimum may not be sufficient for your organisation, so it’s essential to identify your cybersecurity priorities.
At this step, you should also consider the significance of damage or loss to any physical assets and the repercussions of breaches to service delivery and reputation. How important is it to your organisation that you continue or reinstate service delivery as quickly as possible following a breach? Does your provider have the cyber skills to support this? Likewise, would reputational damage be more costly to you in the long term versus the initial costs of a data or information breach? If so, you may want to align with a provider with PR experience and managing high-profile attacks.
3. Review your cybersecurity defences
Similarly to the first step in this short guide, a review of your current cybersecurity defences can be incredibly beneficial before investing in cyber insurance. This is because the defences you have in place as an organisation can influence your liability in the eyes of insurance providers. If your organisation already has recognised or certified cybersecurity defences in place, some insurers will offer discounts or reductions in price – so make sure you have a thorough overview of these. They might look like:
- Cyber Essentials or Cyber Essentials Plus
- ISO/IEC 27001
- Managed Detection and Response (MDR)
- Next-generation firewalls
A comprehensive risk management strategy will also demonstrate that your organisation is proactively managing how to defend against cyber threats more effectively. In addition to lowering premiums, this lets your providers, customers and partners know that you’re taking your cybersecurity seriously.
The takeaway: Be responsible for your cybersecurity
Cyber insurance should be tailored to your organisation, its industry, and its security posture, but policies can vary greatly. Some may cover attacks from new threats and offer consultancy and risk management support, but it will be up to your organisation to ensure it has a policy aligned with essential priorities and objectives. In addition, most policies will be reviewed every 12 months, so you will be required to maintain accurate and up-to-date information; otherwise, you could risk invalidating any claims.
Cyber insurance is a worthwhile addition to any organisation’s cyber security; it will be essential for some. The important thing, though, is to remember that your organisation alone is responsible for its overall cybersecurity maturity, and unfortunately, no level of cyber insurance will prevent cyber attacks from happening – but it can greatly minimise the impact on your organisation.