A successful cyber-attack on a business can result in substantial financial losses which can be difficult to recover from. It’s not just big organisations who targeted, it’s also smaller businesses like hairdressers or coffee shops.
It can disrupt a business to the point where it simply cannot function and may require costly technical support to try and recover from the incident. It can result in loss of income caused by the disruption and once the incident is over, a business can then face legal and regulatory actions.
Because of these risks, many businesses are now considering purchasing cyber insurance, but how do you know if it’s right for your business? The NCSC has just released new Cyber Insurance Guidance to help you ask the right questions if you are considering cyber insurance for your business, summarised below:
What existing cyber security defences do you already have in place?
It is important for you to identify what within your organisation needs protecting the most (your 'crown jewels'), and to also identify any scenarios that must not happen. Do not limit yourself to meeting the minimum cyber security requirements specified by an insurer; these might not adequately protect the things your organisation cares about.
How do you bring expertise together to assess a policy?
Cyber insurance policies often contain detailed technical information, which can include cyber security jargon. If you don't fully understand the policy, you may need to identify people in your organisation who can help. This may include people who:
deal with contracts (lawyers/commercial managers)
manage and run your IT and security systems (technical experts)
are responsible for the organisation's processes and procedures (such as human resources)
Do you fully understand the potential impacts of a cyber incident?
A cyber incident can impact a business in a variety of ways. It is important to build up a full understanding of how you're impacted, and the effects this will have on your organisation. This includes the financial impact of business interruption, and the associated costs of response and recovery.
Unlike incidents such as a fire or theft, cyber incidents are often not restricted to a single location. Understanding how your organisation operates and the inter-dependencies between different parts is vital to determining the extent of an incident, which may have global implications.
What does the cyber insurance policy cover (or not cover)?
Make sure you understand in detail what the policy covers, and equally important, what is excluded. For example, some insurance policies will not cover monies lost through business email compromise fraud. This is just one instance where a relatively common incident may not be covered by a standard cyber security policy. If business email compromise (for example) is an issue for you, you'll need to check that your policy covers this.
What cyber security services are included in the policy, and do you need them?
Many insurers will offer cyber security consultancy services and risk management support once you have taken out their policy. This may include providing resiliency planning in addition to financial protection. Making use of these services and the expertise that come with them, especially if you don't have access to these skills in-house, may help reduce the chance and impact of a cyber incident or breach.
Does the policy include support during (or after) a cyber security incident?
Most cover responds to the immediate effects on the organisation by working to quickly restore network systems and data, while seeking to minimise losses from business interruption. For data breaches, there may be legal action from customers or other affected parties. The defence and settlement of such claims would normally be covered. Certain cyber insurance policies will go further and cover other cyber-related incidents such as computer-enabled fraud.
What must be in place to claim against (or renew) your cyber insurance policy?
Most cyber insurance policies are re-assessed every 12 months. The onus is on you to ensure that your organisation's cyber security details are accurate and up to date. It is important for insurers to understand what cyber security measures you have in place and provide any other details they require. As with other insurance policies, you should also let your insurers know when your circumstances change so that you're still covered. If you're claiming that security measures are in place when they're not, the insurer may not be obliged to pay any claims.
Whether you decide cyber insurance is right for your business or not, it should never be a substitute for having fundamental cyber security in place.
The full NCSC Cyber Insurance Guidance provides further considerations for businesses on purchasing cyber insurance.