Is Your Organisation Wasting Money on Cyber Insurance?

How Accurate is Your Cyber Risk Assessment?

It is a condition of a cyber policy that certain security measures are in place: the importance of this was recently mentioned in an interview of insurer AIG:

“If [clients] have very, very low controls, then we may not write coverage at all.”

Just like robust door locks or health and safety measures, existing cybersecurity protection is a requirement of a cyber insurance policy.

When an organisation wishes to purchase cyber liability insurance, the insurers will often carry out a cyber insurance risk assessment before underwriting the policy. The detail of this risk assessment is dependent on the policy required and the company size. Smaller companies might only need to answer a questionnaire, but larger organisations may be assessed by a specialist firm that will examine their cybersecurity posture in detail. This proof of a robust cyber security posture is not a one-off exercise, continuous upkeep of security measures is expected. If a cyber-attack occurs and it can be shown that this was due to a security patch not being applied promptly, or anti-malware protection updates not being applied, or a lag in security awareness training, etc., a policy could be invalidated.

Cybersecurity Measures Required by Cyber Insurance

Cybersecurity measures are most effective when they are layered across the entire organisation and the people that use it: cybercriminals often find ways to circumvent technology by using social engineering, so our staff are as important a part of a robust cybersecurity policy as malware protection. Best practices recognize that security is not only reliant on technologies like anti-virus but covers ‘people, processes, and technology’. Also, a robust cybersecurity posture is a continuous process to keep ahead of the cybercriminal.

There are some basics that any company, no matter what size, should have as a foundation for security.

People

Social engineering and phishing focus on the people aspects of cyber-attacks. Employees are often tricked into clicking malicious links or downloading infected attachments. Crimes such as Business Email Compromise (BEC), often involve little if any technical compromise, instead, focusing on tricking an employee into sending company money to a hacker’s account. Crimes such as BEC cost companies around $2 billion (£1.3 billion) per year. Accidental data exposure is also a cyber risk, which is dependent on the people in your organisation. Security awareness training programs and simulated phishing exercises are used successfully to educate employees about the risks of cybercrime and how to be watchful for phishing and other scams.

Processes

The cybersecurity strategy of an organisation is vital in implementing effective cyber security. The processes that underlie this involve how data is governed and managed, policies and procedures in dealing with threats and mitigation of attacks, as well as how the company manages third party vendors.

Technology

In terms of technology, a cyber insurance policy assessment would look to see if the following basic areas of protection were in place:

1. Endpoint protection: corporate and personal devices used for corporate resource access, including mobile, laptops, tablets, printers, etc. Endpoint protection comes in many forms from basic anti-virus to more sophisticated Endpoint Detection and Prevention (EDR) against malware infection.
2. Robust authentication: phishing is a popular method used to steal passwords and other data. By adding in extra layers of authentication, such as a second factor, phishing attacks can be prevented.
3. Secure ransomware proof backup: having a secure system in place to minimise the disruption from a ransomware attack.