What should organisations consider if they are to prepare for cyber insurance?
Many businesses think their insurance policies would cough up if they are brought to their knees by a devastating cyber attack, but unsurprisingly, most business insurance policies were written 50 years ago to cover tangible losses only; and aren’t automatically updated to include the latest and greatest cyber risks. In fact, most policies will now come with small print detailing exactly what ISN’T covered; or limits the compensation for a malware incident to fifty quid or something equally as miniscule. Cyber insurance is one form of cover amongst many hundreds of others, so it’s unlikely your insurance broker will pick up the phone and try and sell you it. 99% of their business has to be around selling employer’s liability and professional indemnity cover, and I don’t think it’s in your broker’s commercial interests to spend time selling you a rare commodity.
In short, you’re in this on your own. You will need to go and find cyber insurance, seek the help of a specialist broker, and end up paying through the nose for it.
Before you do this, exactly what do you need to insure? How much do you need to insure it for? Can you insure against gross negligence or employee dishonesty that causes a devastating incident? Again, I’m seeing policies that are mostly weighted toward insuring the business against an unknown assailant. They’re covering you for 95% types of incident, but the remaining 5%, which includes some of the most devastating attacks, are not covered. Don’t assume insurance will solve all your problems, as they can quite easily squirm out of paying up if you’ve failed to adhere to industry best practice.
Insurance is one way to deal with risk. Businesses can also accept, avoid or mitigate risks. And they’ll need to if they spend any time reviewing what a cyber insurance policy covers. Qualifying cyber security risk is not a complicated process. Frameworks such as ISO 27001 exist, which help you identify the gaps and present an analysis to the business of what risks need treatment. A compulsive buy of an off the shelf cyber insurance policy is NOT the right way to go.
Policies that depend on an independent cyber security audit are coming to light. One example is Cyber Essentials. If you complete a Cyber Essentials audit (pass or fail), then an insurance company will happily insure you against the breach of the controls you have in place. But they won’t cover controls you don’t have in place. Or controls you thought were in place, but weren’t at all effective. That way, insurers get to make money from the masses to pay limited amounts out to the minority, under a very controlled set of circumstances.
Don’t assume cyber insurance will have you covered. Do your homework, conduct an audit. Carry out an analysis of gaps. Give the business an honest picture of risks that need treatment, and then decide whether or not insurance is the right way to go.
Article written by Tim Holman for Computer Weekly – Security Think Tank