Why do you need Cyber Insurance?
Insurance is not security. Like all insurance it’s only useful when the unthinkable happens. But recent surveys show that
• less than 50% of UK business have cyber insurance
• the average cost to recover from a cyber-attack was £850k in 2022.
• the current average UK ransom payment is £1.7m.
• 40% of UK businesses reported a cyber-attack in 2022.
• the average business downtime is over 20 days a year.
• Over 50% of SMEs, who have cover, have used it more than twice in a year.
How would any of these events affect your business? Insurance can help to cover the costs and get you back to productivity.
Requirements on business
We have noticed that the insurance application process, which used to come with a half page of questions on your IT infrastructure, has in some cases now increased to four pages of questions. Our clients instantly pass the task over to us to complete on their behalf, as they simply don’t know where to start.
The process has highlighted that insurers are looking for some basic cyber security measures to be in place. They will explore what technology you have that will reduce the risk to you and of course them. They will also look at how you will respond and recover from a disaster.
Change to Policies
The requirements for new polices are more intensive than those for a renewal. Although renewals are also subject to more risk assessments. With the increased history of claims, the insurance market has matured with more options. Policies are varied in coverage and premiums. There is more to choose from and you can be more specific on your requirements, instead of being stuck with the standard terms.
Your may be given options like:
• Covering only part of your business
• Choose a specific business sector policy. Eg Hospitality, Maritime
• Define your own limits of cover
• Upload your risk assessment for review
• Upload your Business Continuity Plan for review
• Specific cover for Personal Identifiable Information you process
• Reduced cover if you do not process certain data types
• Reduced premiums if you have continuous Cyber Security monitoring in place
• Declare you Cyber Essentials or ISO27001 cover – this reduces premiums
When you are not covered
Here is a sample list of reasons why you wouldn’t be covered:
• Due to Acts of War
• If you have no security controls in place
• Human error – this is often excluded
• Not following simple compliance policies. I.e., having a policy in one thing. Adhering to it is another
• Not reporting to the insurer first
• Costs related to other security support you may arrange before your insurers’ approved supplier is instructed.
• The actions of internal bad actors may not be covered
Choices
We have seen bundles of cover being offered, where you can choose whether to cover:
• Loss of revenue
• GDPR fines
• Legal fees
• Ransomware negotiation services. Fraudsters know that companies will consider if it is cheaper to pay the ransom rather than rebuild the network.
How to get the right cover at the right premium
The simplest way to achieve the right sized cover for your business is to complete a risk assessment of your physical and informational assets.
• Know your risks and build a plan to mitigate the biggest vulnerabilities. If you present a business that is aware and constantly assessing the risk, your insurance company will look upon you favourably.
• Put MFA in place and especially on cloud systems.
• Consider your supply chain and secure agreements on any processing of data you own.
• Create right sized policies around information governance.
• Prove that you are adhering to those policies
• Have technology control in place, and prove you are monitoring them
• Have a good backup in place that is ransomware resilient
There is a lot to consider, but with premiums rising and an increase in the number of attacks on small businesses, now is the time to review your cover and ensure you have systems in place to reduce your risks.
If you need advice on reducing your risk, our team are here to help. Get in touch!
