We live our lives hoping that we will never need to make claims on our insurance policies. Whether that is home, motor, life or phone, making a claim generally means something isn't how it should be. Ultimately, a policy is there to protect something of value to us, and as the world in which we lives changes, the information you have and the systems you run your businesses on are valuable assets too - so is now the time to think about cyber insurance?
The key to good cyber insurance is finding a policy which allows you to balance your capabilities and good business practice against threats which are out there, but it's helpful to understand that this is a relatively new area of insurance. At the same time, remember that any cyber insurance policy isn't your primary defence or justification for poor security posture and practice.
#1 - You need to be doing security already
There is going to be some essential security which you must have in place to obtain a quotation for cyber insurance, and you need to be doing them all the time. If you're missing any component from the initial list of prerequisites when you start shopping, please get in touch with Nettitude to help to improve your security posture.
Don't forget that use of third parties is not a silver bullet, after all you'll be responsible for the selection of those third parties in the first place and demonstrating that selection process to an insurer; some may extend coverage to third parties to a degree if their failure is causing a detrimental impact on your business.
#2 - Good security and quality insurance are a natural fit
An enterprise who hold a strong security posture with supporting practices are aware that security incidents happen. These might be person-centric, zero-day vulnerabilities within technology or even process failures, but the list goes on. What the insurance does is provide that line of defence in your portfolio to account for the extreme instance which affects your profitability or potential liability.
The underwriters are not blind to your efforts and will capture information to reflect your posture in the premiums they charge and what coverage you receive - if this isn't the case, keep shopping!
Nettitude can assist you with the good security element here and have a range of services to help you improve your security posture, just get in touch.
#3 - When does the coverage begin?
As with any insurance policy, the inception date will be the start of cover; but again not all cyber policies are equal.
You may have something sitting dormant in your network for a long time before it becomes a problem, so it's important to check with the insurer if you're covered from the time it was detected/caused a problem rather than when the problem entered your systems. It's for these reasons that both the quality of the policy is important, but also the regular activities you can perform to mitigate this scenario such as vulnerability scanning, penetration testing and red teaming exercises; speak to Nettitude for help.
#4 - Insurer's offerings can be massively different
The old saying 'you get what you pay for' is very much applicable with insurance. When you start to investigate the market, whilst it's important to think about technical aspects to answer their questions to get a quote, it's equally important to see what the product offers you back:
- What assistance are you getting from a legal perspective?
- What assistance can the policy provide from a public relations perspective?
- Does the product provide you with any technical capability in the event of an incident?
- How long will these services last in the event of a claim arising?
- Does the policy also include any security appliances, services and training - some policies out there really do have these things from day one.
These aspects, in conjunction with other planning, may give your further justification to invest in cyber insurance.
#5 - Terminology and Language variations
When you start to make enquiries about insurance, you may come across terms which are unfamiliar to the typical techie - this may simply be down to regional variance, particularly when those questions were written in a different country. Be sure to ask for clarification of the term, because otherwise your answer provided in good faith on which the policy premiums are calculated, may mean something different.
Also do not assume that when you encounter a term that is normal to you, that is doesn't mean something slightly different in the context of the policy. Typical examples are 'confidential', 'sensitive', 'information handler', particularly when that term can be found in legislation or other compliance regimes - ask, ask and ask again.
#6 - Can you evidence your assertion?
Insurance in the UK is issued in good faith, and on that basis the Insurer might not look for validation or evidence around your statements or answers at policy inception. This being the case, should you find yourself needing to make a claim and then the request for proof arrives, might you start to become unstuck?
Look at the requirements of the policy and your business-as-usual processes together; should you identify a gap then be sure to take actions to address it - it might be anything from a periodic check to helping you realize there's a small gap in your defences. For those organisations operating ISO27001, Cyber Essential, or holding PCI DSS compliance, this will likely be much easier to complete. But if you feel you're not sure you're aligning to the requirements of a cyber policy and find gaps in your processes, Nettitude can assist you through a range of services on offer around Governance, Risk and Compliance through to testing and assessments.
#7 - It's not as expensive as you think.
A cyber policy should balance the costs against the risks it’s helping to mitigate, but it's probably not going to be as expensive as you think. Some of the policies have features to offset other expenses from your cyber security budget which means the actual cost of the policy is very affordable. From another perspective, not having a policy in place might land you with a hefty fine from a regulator, court or other associated costs such as forensic investigators - ask yourself if your organisation can pay not only financially but also in resource consumption without this having a significant impact elsewhere.
Some fines have run into the millions and drag on for months e.g. Target and Equifax, but not all policies will cover your fines so choose carefully.
Ultimately, all good security is based on managing your risks and making an informed decision; insurance to support your risks is part and parcel of the same thing. Got any questions? Contact us today.