The purpose of cyber insurance is basically the same as any other form of insurance. Insurance provides protection if a rare but unaffordable event should occur, that could otherwise severely damage the financial position of the business and potentially lead to bankruptcy.
However, as with home or car insurance, where if you leave your car unlocked with the keys in the ignition and it is stolen, or hide your front door key under a plant pot and all your possessions are stolen, then no insurer is going to pay out. Nor is cyber insurance likely to cover intangible impacts such as reputational damage, so it is not an alternative to proper cyber protection.
Insurance companies are there to make a profit, so on average their pay-outs will be less than the premiums they receive. Nonetheless, because taking precautions such as fitting better locks and alarms can reduce home and car insurance costs, the same principle is true for cyber insurance. The more recognised protection measures that are in place, the lower premiums are likely to be.
This might include certification under the Cyber Essentials Scheme and the ISO27000 series of standards, the use of certified services providers. The company’s own protection and processes and the integration of relevant services into the incident response plan is also important.
This reasonable level of protection needs to be in place for insurance to be valid. In terms of physical security, this would typically mean recognised standards of lock alarm systems, CCTV surveillance, etc.
Nevertheless, what is deemed reasonable and good practice will change over time and is changing more rapidly for cyber security, so it is also important to keep that protection up to date and going further than the minimum required by the insurer may also reduce premiums.
In particular, your backup strategy needs to protect against the latest ransomware attacks, which target the backup as well as online data. Some policies may protect against new and unknown attacks, but probably not a new attack that you should reasonable be expected to know about.
When approaching cyber insurance, the first step is to identify what it is that needs to be protected, for example what are the organisation’s valuable data assets and what systems or services, if impacted by an attack, could severely damage the business? Then, taking these into account, what would be the costs involved should there be an attack? These could include:
- The cost of responding to the attack itself, either internal, or external service provider costs, media and social media management, etc.
- Legal and regulatory costs (such as notification to the ICO and affected third parties).
- Cost of loss of access to systems or data, in particular from a ransomware attack. Including loss of production.
- Third-party claims – loss of personal data, third-party financial losses, damages for late deliveries, inability to deliver services, etc.
- Customer claims if your products or services that have been infected with malware are part of a supply chain attack.
- Reputational damage and other intangible costs that may not be covered.
This should help to identify what any policy should cover and also provide an estimate of the level of cover that may be needed.
Once the need has been identified, it is possible to check insurers’ offers to see how much can be covered. This is never that easy with insurance policies and cyber security can have technical complexities, so will need support from technical and legal experts to comb through the detail and ensure that the cover is appropriate and confirm what is covered and what is not covered.
This would need to include the identification of specific protection and certification requirements, as well as cover for new and emerging attacks and any potential exclusions, or limitations. For example, are third-party claims and data breaches included? Other considerations might be what advice, guidance or consultancy services are available from the insurer.
Cyber insurance has matured significantly over the past few years, but can still be complex. At the same time, the threat of a cyber attack is changing as quickly as ever and the cost of it can be crippling to some businesses. Cyber insurance is therefore a legitimate tool for many to protect their businesses.
But a degree of diligence is needed in selecting suitable insurance and verifying that the cover is appropriate, as well as the systems are up to scratch so that any claims will be valid.