Insurance policies, such as employer liability insurance, mandate certain protective measures – an enforced health and safety policy is an example of an insurance policy requirement; if there are no safety guards on machinery and an accident happens, the liability insurance may be invalidated. Cyber insurance is much the same. Without attention to the finer details of a policy requirement, when the time comes to make a claim, you may find that the claim is rejected.
Having a cyber insurance policy is not effective without the right kind of security measures in place at the time the insurance is taken out and throughout the lifetime of the policy.
The cyber insurance landscape
Cyber insurance, cyber liability insurance or cyber security insurance is a new policy type entrant into the insurance landscape. Back in the early 2000’s, cyber insurance covers were extensions to existing insurance policies for companies in the technology and professional sector. As cyber risks began to percolate across sectors during the late 2000’s into the early 2010’s, specific cyber insurance policies emerged. This reaction to the changing cyber risk landscape reflects the tsunami of cyber-attacks that plague modern digital life. A 2021 UK study from the Department for Digital, Culture, Media, and Sport (DCMS) offers an insight into the increased risk levels to businesses:
- Almost 65% of all businesses were victims of a cyber-attack in the previous 12-months.
- Of those, 21% lost money, data, or other assets.
- 35% were negatively impacted, requiring new post-breach measures, disruption to staff, or suffering wider business disruption.
- 83% of attacks were based on phishing.
Ransomware, a current favorite amongst cybercriminals, has doubled in the UK in the last year. Ransomware is no longer just about encrypting data and demanding a ransom, modern ransomware criminals steal vital company data.
In a recent Lloyds Syndicate report it was noted that:
- The average ransomware demand / payment is between €18k & €21k
- In 73% of cases where payments were made, the victim doesn’t get their data unencrypted.
Other elements that increase the cyber risk within an organisation are accidental in nature but can be just as damaging. A report from the UK’s Information Commissioners Office (ICO) found that 90% of data breaches that came under its watch were caused by human error.
Breaches, whether accidental or malicious, end up costing a business in terms of lost data, reputation damage, system downtime, and ultimately non-compliance fines.
Cyber insurance was developed to offer specialist coverage to help alleviate the financial impact of a cyber-attack, but not stop it from happening.
What cyber insurance actually covers
Cyber insurance policies vary, but typical policies cover the costs of first and third-party impacts of a cyber-attack.
Coverage usually includes costs associated with:
- Investigation: investigating a cybercrime
- Data recovery: recovering data lost during a security breach
- Restoration: recovering affected computer systems
- Loss of income: Business Interruption caused by business shutdown during an attack (e.g., the impact of a ransomware or DDoS attack)
- Ransom payment: ransom demands from hackers
- Breach notification costs: notifying authorities and customers about a breach.
- Reputation management: managing the fallout effect on a company’s brand post-breach.
- Human error: costs associated with mistakes that result in a data breach or IT failure
Cyber insurance will cover the costs of a cyber-attack if robust measures of protection are in place at the time a policy is taken out. Importantly, these measures must continue to prevent cyber-attacks, even as the threat landscape changes.
It is also worth noting that the financial costs of a cyber-attack are not the only adverse impact: employee morale, sacking of staff, and even share price can be affected.
How accurate is your assessment?
It is a condition of a cyber policy that certain security measures are in place: the importance of this was recently mentioned in an interview of insurer AIG:
“If [clients] have very, very low controls, then we may not write coverage at all.”
Just like robust door locks or health and safety measures, existing cybersecurity protection is a requirement of a cyber insurance policy.
When an organisation wishes to purchase cyber liability insurance, the insurers will often carry out a cyber insurance risk assessment before underwriting the policy. The detail of this risk assessment is dependent on the policy required and the company size. Smaller companies might only need to answer a questionnaire, but larger organisations may be assessed by a specialist firm that will examine their cybersecurity posture in detail. This proof of a robust cyber security posture is not a one-off exercise, continuous upkeep of security measures is expected. If a cyber-attack occurs and it can be shown that this was due to a security patch not being applied promptly, or anti-malware protection updates not being applied, or a lag in security awareness training, etc., a policy could be invalidated.
What defence strategies do cyber insurance policies expect to be in place?
Cybersecurity measures are most effective when they are layered across the entire organisation and the people that use it: cybercriminals often find ways to circumvent technology by using social engineering, so our staff are as important a part of a robust cybersecurity policy as malware protection. Best practices recognize that security is not only reliant on technologies like anti-virus but covers ‘people, processes, and technology’. Also, a robust cybersecurity posture is a continuous process to keep ahead of the cybercriminal.
There are some basics that any company, no matter what size, should have as a foundation for security.
Social engineering and phishing focus on the people aspects of cyber-attacks. Employees are often tricked into clicking malicious links or downloading infected attachments. Crimes such as Business Email Compromise (BEC), often involve little if any technical compromise, instead, focusing on tricking an employee into sending company money to a hacker’s account. Crimes such as BEC cost companies around $2 billion (£1.3 billion) per year. Accidental data exposure is also a cyber risk, which is dependent on the people in your organisation. Security awareness training programs and simulated phishing exercises are used successfully to educate employees about the risks of cybercrime and how to be watchful for phishing and other scams.
The cybersecurity strategy of an organisation is vital in implementing effective cyber security. The processes that underlie this involve how data is governed and managed, policies and procedures in dealing with threats and mitigation of attacks, as well as how the company manages third party vendors.
In terms of technology, a cyber insurance policy assessment would look to see if the following basic areas of protection were in place:
- Endpoint protection: corporate and personal devices used for corporate resource access, including mobile, laptops, tablets, printers, etc. Endpoint protection comes in many forms from basic anti-virus to more sophisticated Endpoint Detection and Prevention (EDR) against malware infection.
- Robust authentication: phishing is a popular method used to steal passwords and other data. By adding in extra layers of authentication, such as a second factor, phishing attacks can be prevented.
- Secure ransomware proof backup: having a secure system in place to minimize the disruption from a ransomware attack.
Where does cyber insurance fit in?
Cyber insurance policies may pay out against financial losses, but the loss of data or IT failure can have a far-reaching impact that financial compensation does not cover. Instead, cyber insurance should be used as an extension to cybersecurity policies and measures that protect your business from cybercriminal exploitation and accidental data exposure. Without having robust, regularly updated, security measures across your technical real estate, people, and processes, you leave your organisation open to cybercriminals.
Find out more on how you can protect your business:
+353 818 229 239