7 Questions to Ask About Cyber Insurance
As more and more aspects of our lives move into the digital realm, the risks we face from cyber threats are also increasing. This warrants the need for a plan to protect ourselves from the repercussions of such dangers. Enter the realm of cyber insurance policies. This topic, at first, may seem difficult to navigate. For this reason, Elasticito has compiled a list of 7 questions to ask about cyber insurance to make the journey as easy to understand as possible.
Defining Cyber Insurance
In today’s digital age, organisations face a range of cyber threats that are constantly evolving. The Identity Theft Resource Center’s (ITRC) 2021 Annual Data Breach Report revealed there were more “cyberattack-related data compromises” (1,603) in 2021 than “all data compromises” in 2020 (1,108). These attacks increased in nearly every primary business sector.
Cyber insurance can help protect your organisation financially in the event of a cyber incident, and also provide support with legal and regulatory action if required. Managing cyber incidents can be complex and technical, so having insurance in place can help to minimise business disruption and ensure you have the necessary support to recover. In other words, cyber insurance is important for any business that relies on IT systems and networks.
Cyber insurance is not a silver bullet for all of your cyber security issues, and it cannot prevent every possible cyber breach or attack. Just as homeowners must take measures to secure their homes, organisations must also put measures in place to protect their assets. Cyber insurance can help mitigate the financial damage caused by a successful cyber attack, but it is not a substitute for good security practices.
Ronan Lavelle, CEO – Elasticito
7 Questions to Ask About Cyber Insurance
Before considering any cyber insurance policy, you should ask yourself the following 7 questions to:
- Help protect your organisation by ensuring you have fundamental cyber security safeguards in place, and
- Understand present cyber risks and why it’s vital to take safety measures seriously.
Question 1: Who needs cyber insurance?
Cyber insurance can be beneficial for any business that has an online presence or sends or stores electronic data. Sensitive personal data such as contact details of customers or staff, intellectual property, or financial information is all very valuable to cyber criminals. Threat actors could attempt to break into your network and steal this data.
There’s also the potential for hackers to cripple a network with ransomware. A cyber insurance policy that covers ransomware could go a long way to helping organisations that fall victim to attacks like this find a way out of the predicament. Business email compromise (BEC) phishing scams are another form of cyberattack that can cost a business a large, sometimes six-figure, sum of money. These attacks see criminals posing as CEO’s, suppliers, or other trusted contacts and duping people into transferring payments.
Question 2: What existing cyber security defences do you already have in place?
When you purchase an insurance policy, the company will likely ask for information about the security controls you have in place. This could include technical controls, like firewalls and password protection, as well as procedural controls, like background checks for employees. Human controls, like security guards or camera surveillance, are also important. Gathering this information may require the input of a number of people in your organisation, or from outsourced providers to your business (e.g. IT).
Your employees are one of your most valuable assets, and also your biggest security risk. Unprepared employees can leave your organisation vulnerable to attack, but those who are prepared can help solidify your defenses.
Andrew Brown, CTO – Elasticito
Your organisation’s most important assets are its “crown jewels.” It’s crucial that you identify which aspects of your organisation need the most protection, as well as any scenarios that must be avoided at all costs. Don’t simply strive to meet the minimum cyber security requirements set forth by an insurer – this may not provide adequate protection for what your organisation values most.
Moreover, buying the right policy requires organisations to understand their potential shortcomings before evaluating whether a cyber insurance policy protects them.
Question 3: Why do I need to bring together different experts to assess a policy?
If you’re not up to date on the latest cyber security jargon, a cyber insurance policy can be tough to understand. Make sure to identify people in your organisation who can help decode the technical information in these policies. This may include:
- Lawyers, to deal with contracts;
- Technical experts, who manage and run your IT and cyber security systems, and
- Human resource practitioners, who are responsible for the organisation’s processes and procedures
If you don’t have direct access to technical expertise, you may want to use a cyber security consultancy firm such as Elasticito to give advice and guidance on how to assess potential policies.
Question 4: Does the cost of cyber insurance outweigh the cyber risk?
Nearly three-quarters of organisations suffering an attack (71% of businesses in the United States, according to Hiscox) have paid a ransom when targeted. The cost of a ransom could force many businesses to close their doors for good. However, there is no reason to automatically budget for this cost every year, especially when there is a chance to improve the situation and make your defenses stronger. The Hiscox Cyber Readiness Report 2021 revealed that less than one-third of companies have a stand-alone cyber insurance policy. Given the size and severity of the threat, it is hard to believe the number isn’t significantly higher.
As cyber attacks become more common, many organisations are incorrectly assuming that they can avoid being targeted. They may erroneously think that their organisation is too small or insignificant to be noticed by hackers. However, even smaller attacks can have major consequences. All it takes is one successful breach to wreak havoc on a business. Often, organisations don’t realise they’ve been attacked until it’s too late.
Question 5: What does a cyber insurance policy cover?
Before you buy insurance, it’s crucial that you understand how vital your organisation’s data, systems, and devices are to its operations. That way, you can set an appropriate level of coverage. When considering a cyber security policy, it is also important to understand both what the policy covers and what is excluded. For example, some policies may not cover BEC fraud. If this is a concern for you, be sure to check that your policy covers this specific type of incident.
It is important to note that as cyber attacks evolve, you may become vulnerable to new types of attacks that your current policy does not cover. Make sure to check with your broker to see if you would be protected against any new and emerging threats that may arise.
Cyber insurance claims can be triggered by many sorts of incidents. Currently, the most common are:
- Ransomware,
- Fund-transfer fraud attacks, and
- BEC fraud
Question 6: Does the policy include support during (or after) a cyber security incident?
As the number of cyber security incidents across the world continues to rise, more and more insurers are offering services to help organisations deal with them. These services can be extremely helpful in the aftermath of an incident, providing:
- IT forensics,
- Legal assistance, and
- Public relations support
In some cases, insurers will even put you in touch with a Cyber Incident Response (CIR) organisation or their own internal response team.
Question 7: What must be in place to claim against (or renew) your cyber insurance policy?
It’s important to keep your cyber insurance policy up to date, as your coverage may be re-assessed every 12 months. Make sure your organisation’s cyber security details are accurate and complete, so that insurers understand the measures you have in place. Also be sure to notify your insurer of any changes in circumstances, as this could affect your coverage. If you make a claim for damages that are not covered by your policy, the insurer is not obligated to pay out.
As the UK’s NCSC points out, some insurance policies will cover money lost in BEC fraud – but it’s often part of a specific policy that’s directly related to BEC. It therefore may not be covered by standard cyber security insurance – and your organisation could be left without any aid if that’s the case.
Summary
As the frequency of cyber attacks continues to increase and cyber criminals get more brazen with campaigns, no business, company or organisation, big or small, can afford to be complacent. If you want to keep your organisation safe, you need to start preparing today. As the age-old saying goes, a strong defense is the best offense, so don’t wait any longer.
Contact Elasticito for further advice regarding cyber insurance policies, queries or concerns about cyber security, security awareness and cyber threats.