Cyber insurance is a relatively new area that’s hard to navigate. A standard policy is hard to come by and it’s difficult to know what you’re getting for your money. This article will seek the expertise of leading legal minds and cyber experts to discuss these problems.
Be prepared to show sufficient security measures
Cyber insurance providers will not offer cover for attacks to businesses that seem to be at fault for those attacks.
Companies that have come under attack will need to prove to insurance providers that they have done everything necessary to prevent the incident from happening.
Not only is this important when making a claim, but it could provide access to perks beyond the basic offering.
“To get the best price premiums, the company will need to show it has adequate security in place,” said Ken Munro, partner at Pen Test Partners. “Just having a firewall and passwords isn’t sufficient.
“You need to demonstrate that you’re aware of the areas of risk within your business and have taken reasonable steps to protect yourself.
“The insurer should look at the organisation’s security during the risk assessment and actuarial process in order to decide whether the organisation is taking security seriously.”
Check for risks and look to reduce them
A good way to ensure that security measures are carried out to the standard of cyber insurance providers is to examine and analyse your entire system for any vulnerabilities that may be present.
Companies should not leave its system’s safety in the hands of the insurance provider, so must take responsibility for the duty of ensuring sufficient protection.
“It is key that organisations do not look at cyber insurance as a silver bullet of protection,” explained Nik Whitfield, CEO of Panaseer. “You don’t get car insurance and then leave the vehicle unlocked and drive like a maniac. The same applies to cyber insurance.
How data analytics is changing the Insurance industry
“Organisations can never be 100% secure, but they can be 100% sure of their position. With that in mind, the first question the board must be directed internally to their security team — what is our risk from cyber, and how can reduce this?
“By being clear on the risks, the conversation can then move onto the cyber security insurance policy, for which the board must ask for clear details on the scope and details, so that they can make sure that they are adhering to the policy in place and that it protects them from any damaging cyber events.”
Read up on customisations
There is no ‘one size fits all’ when it comes to cyber insurance policies. Different providers cater for different areas and issues, and this means that a company from one sector will require a different policy to a firm from another.
Every company’s ‘bottom line’ is different, so it’s vital that prospective claimants look into possible customisations to insurance policies.
“Cyber insurance has numerous customisations and endorsements to cover specific events, including system failure, when someone kicks the power cord, data breach, when your systems are compromised, or tech ‘Errors and Omissions’ (E&O), protecting against lawsuits in the case of a faulty product),” explained Matt Honea, director of cybersecurity at Guidewire Software.
“Companies should look at their bottom line and decide whether a large portion of revenue is related to their computer systems. If those computers are connected, there is always a risk of malicious actors gaining access to those systems.
“Having a security team, using encryption, and keeping backups are all generally part of the premium equitation. Since cyber insurance is unregulated, price is often dictated by market conditions as well.”
Read the fine print
It can’t be said enough that reading through a cyber insurance policy carefully and all the way through is paramount if companies are going to get the best value.
This duty goes beyond the aforementioned customisations that different policies offer, and includes a legal aspect that is common within all contracted agreements: the fine print.
The purpose of fine print, also known as small print, is to add further explanation to a product or service. In the realm of cyber insurance, this is important due to the lack of regulation that comes with it being such a new concept.
“Those companies looking to purchase cyber insurance need to remember it’s an emerging market and therefore is largely un-standardised,” said Zulfikar Ramzan, CTO of RSA Security. “They need to remember to critically read the terms of their policy, so that if they do need to make a claim it will definitely get paid.
“For example, some policies have small print that states they do not cover ‘insider compromise’ — but what exactly are the parameters of this? Does insider compromise include an employee that has been spear-phished, for example?
“So, my advice is that while insurance is one more tool that could help businesses manage their cyber risk, as with any tool, they need to understand the fine print and don’t get lulled into a false sense of security.”
Phishing: Avoiding the growing threat to business data
Get assistance from your security team
When it comes to internal discussion about what kind of cyber insurance policy to choose, it may be worth looking to any experts within the firm who may be able to make this kind of decision.
All companies should have a department dedicated to cyber security, or at least an IT team that knows about this area, and these employees are bound to aid sufficient decision making.
David Dufour, vice president, engineering and cyber security at Webroot, explained: “While the conversation about insurance is often led by financial divisions of a company, such as at the C-suite level, the security department should be involved at the very start to help draw up policies and expected coverage levels.
“No one will have a better understanding of the technical language and definitions within a cyber insurance contract that the CISO, or other members of the security team.”
“Hire them young” Melanie Oldham gives her tips for building a cyber security team
Consult professionals in business and security
If cyber insurance policy discussions within the organisation don’t prove to be fruitful, executives can always seek external guidance.
Not only is it a good idea to know what policies would cover which areas of security, but there may be experts outside the company who can help choose providers that offer the best value.
“Damages resulting from cyber liability can be difficult to quantify and grasp,” said a spokesperson from Genetec. “Translating cyber risks into a financial model is a key step in ensuring adequate coverage.
“If you don’t have the resources in-house, consider seeking guidance from a professional broker or field expert who understands both worlds of business and cyber security risks.”