YOUR CYBER SAFETY NET
If you’re running a business, you need to have cyber insurance in your toolkit. This kind of coverage can help you deal with the aftermath of data breaches, security failures, or any other nasty stuff that cybercriminals might throw your way. And let’s face it, cyberattacks can be a real headache – they can cost you a lot of time and money to fix. So, whether you’re a small startup or a big corporation, cyber insurance can help you build up your defences and deal with the risks of the digital age. Reinsurance expert, Torsten Jeworrek, says:
“Cyber insurance is fundamental for the successful digitalisation of the economy.”
HOW’S YOUR EXISTING CYBERSECURITY?
Applying for cyber insurance? You might have to spill the beans about your security setup. That means all the technical, procedural, and human stuff that keeps your business safe from hackers. And getting that info might mean talking to a bunch of people in your company or even outsourcing to some IT whizzes. Here’s the thing: you need to figure out what’s most valuable to your business – what are your crown jewels? Also, think about the kind of worst-case scenarios you absolutely can’t afford. Don’t just settle for the bare minimum security standards that your insurance company wants you to follow. You need to take a closer look and make sure you’re protecting what matters most to you. Luckily, the NCSC has some tips on how to manage cyber risk, so you’re not just flying blind.
CYBER ESSENTIALS
If your organisation already has some kick-ass cyber security defences, you might be able to score a discount on your insurance policy. So, make sure you let your insurance broker know if you’ve got any certifications like Cyber Essentials or Cyber Essentials Plus. These schemes aren’t just about saving you some cash though. They also show your customers, partners and suppliers that you’re serious about protecting their data.
CYBER LIABILITY INSURANCE
If you’ve already got the Cyber Essentials certification, you might be eligible for cyber liability insurance from the IASME Consortium. But just because they offer it doesn’t mean it’s the right fit for your business. Be sure to check the details and ask questions to make sure the insurance meets your needs. As a rule of thumb, if your business has a turnover of £20 million and achieves self-assessed certification covering the whole organisation to either the basic level of Cyber Essentials or the IASME Standard, you’ll get £25,000 limit of indemnity. Unfortunately, that’s only enough to cover a small data breach and won’t cover you for a serious problem.
WHAT DOES THE POLICY COVER?
Before buying cyber insurance, it’s important to understand how crucial your organization’s data, systems, and devices are to your operations so that you can get the right amount of coverage. Make sure you know exactly what the policy covers and what’s excluded. For example, some policies won’t cover losses due to business email compromise (BEC) fraud. This is just one example where a standard cyber security policy may not cover a common incident. If this is a concern for you, check that your policy covers it. Keep in mind that cyberattacks are always evolving, and you may become a victim of a new type of attack that didn’t exist when you took out the policy. Check with your broker to see if you’d be covered in case of a new type of cyberattack that’s not inherent to your current policy.
OTHER POINTS TO PONDER
- Consider if the cyber insurance policy covers claims for compensation by third parties or loss of personal data due to a data breach.
- Check the limits of the policy and ensure they are appropriate for your organization.
- Find out what services the insurer provides in the immediate response to an incident to help manage recovery and improve resilience.
- Ensure that your organisation can learn from what went wrong and adapt to be stronger in the future.
TYPICAL FIRST-PARTY COVER
First-party coverages include direct costs incurred by your business as a result of cybercrime. Usually, your insurer will cover:
Investigating a cybercrime – paying experts to help you find the source of the cybercrime that affected your business.
Managing an attack – hiring legal experts to advise you about regulations you need to comply with regarding a breach.
Reputation management – covering the costs of a public relations campaign to repair your reputation or even paying for free credit monitoring services or credit protection services for affected customers.
Recovering lost data or software programmes – hiring experts to repair and/or restore this data or software.
Restoring computer systems – hiring experts to restore computer systems damaged by cybercrime.
Business interruption – covering loss of revenue if a cyberattack or data breach prevents you from doing business
Notification costs – covering the cost of notifying affected third parties such as your customers and suppliers of a data breach.
REPLACE YOUR OWN HARDWARE
You should know that cyber insurance generally does not cover property damage, which includes computer and other technology equipment that is often damaged as part of the cyberattack. This can be problematic if the hardware has become so corrupt that it’s unfixable or more cost-efficient to purchase something new.
RANSOMWARE IMPACT ON CYBER INSURANCE
According to the 2022 Verizon Data Breach Investigations Report, ransomware accounted for 25% of all cybersecurity breaches. IBM revealed that the average ransomware payment is around £700,000 for companies who opt to cough up. That said, in June 2021 the meat-processing vendor, JSA USA, was hit by an attack and reportedly paid $11 million in ransom to criminals that were using the REvil ransomware. As such, insurers can be wary about covering ransomware or might offer it at a premium price. Josephine Wolff, a Professor of Cybersecurity Policy at Tufts University in Massachusetts, says of the rise in ransomware:
“Policyholders started filing a lot more ransom claims, and the insurers were making a lot less money – and they were worried that would even start losing money. I definitely think that having insurance coverage for ransom payments changes the calculus for companies deciding whether or not to pay. It’s the difference between, ‘Am I going to be out of this money myself, or am I going to file a claim with my insurer and have them cover most or all of it?’”
WHAT SUPPORT WILL YOU GET?
Some insurers will offer additional services that can be really helpful if your organisation experiences a cyber security incident. These could include things like IT forensic services, legal assistance, or public relations support. They may even connect you with their own in-house cyber incident response team, or a third-party Cyber Incident Response (CIR) organisation. The NCSC has also published guidance on Incident Management that could help you plan and build an effective cyber incident response capability. When it comes to actually dealing with the impact of a cyberattack, most cyber insurance policies will focus on restoring your network systems and data as quickly as possible, while also minimising any losses due to business interruption. If any legal action arises from data breaches, your policy should help cover the costs of defence and settlement. Some policies will also cover other types of cyber-related incidents, such as computer-enabled fraud.
CLAIMING AND RENEWING YOUR POLICY
Most cyber insurance policies are checked every year, so it’s up to you to keep your organisation’s cyber security details accurate and up-to-date. Insurers need to know what kind of security measures you’ve got in place and any other relevant info. And if your situation changes, like if you add new tech or software, you need to let your insurer know so you stay covered. If you tell your insurer you’ve got security measures when you don’t, they might not pay out any claims if something goes wrong. Honesty is the best policy so always be upfront about your cybersecurity.
STAYING SAFE AND SECURE
As London’s #1 end-to-end business cybersecurity and IT support for SMEs, Zhero knows just how critical it is to embrace cybersecurity. First off, you’ll protect your business against cyber threats and demonstrate your commitment to good cyber hygiene. One way of achieving this is to obtain Cyber Essentials certification. Not only will you be protected against 80% of cyberattacks and enjoy lower cyber insurance premiums, but your SME will also stand out and gain a competitive edge. Does that sound good? Then get in touch with Zhero today and see how we deliver better IT faster.
