Cyber insurance: A guide for businesses – IT Governance UK Blog


Cyber threats are so numerous that it’s impossible to prevent security incidents altogether.

That’s why they organisations increasingly relying on cyber insurance policies to cover the costs when data breaches and cyber attacks occur.

But just how helpful is cyber insurance? We take at a look at everything you need to know in this blog.

What is cyber insurance?

Cyber insurance is a specific type of protection, helping organisations mitigate the financial costs associated with information security incidents.

These costs typically won’t be included in standard business insurance policies, which tend to cover only the damage or loss of equipment itself, rather than harm caused by a cyber security event.

How does cyber insurance work?

When a covered organisation suffers a security incident and submits a claim, the insurer will investigate and then pay out accordingly.

Security incidents cause many issues that can’t be fixed with financial reimbursement, such as the time and effort it takes to recover or the reputational damage you could face.

Likewise, the cost of a data breach is related to the speed at which organisations can detect and respond to an incident. Indeed, Ponemon Institute’s Cost of a Data Breach Report 2020 found that organisations that can address a breach within 200 days save about £750,000 compared to those that take longer to respond.

If organisations have to wait for their insurer to review the incident, the costs will escalate and their premium will increase.

You must therefore view cyber insurance as a complement to your cyber security defences and an extra resource to mitigate costs rather than an alternative.

What does a cyber insurance policy cover?

Cyber insurance covers the financial costs of incidents that affect the confidentiality, integrity and availability of information. This includes cyber attacks and data breaches, as well as other events that impact IT systems and networks.

Policies generally provide organisations with the means to manage the incident. This includes forensic investigation, incident response, legal assistance and public relations support.

What is not covered by cyber insurance?

Cyber insurance policies generally don’t cover damages that were caused or exacerbated by the organisation itself.

This might include business email compromise fraud or acts of gross negligence.

Likewise, some insurers won’t reimburse organisations that pay up after a ransomware attack, given that experts advise organisations not to pay because payment helps fuel the cyber crime industry and could make the organisation a soft target for future attacks.

Who needs cyber insurance?

Any organisation that relies on information technology or processes sensitive data is vulnerable to cyber attacks and data breaches, and should therefore consider cyber insurance.

You can find out whether cyber insurance is the right strategy by following ISO 27001’s risk assessment methodology, which helps organisations decide the most appropriate way to address cyber security issues.

Organisations can:

  • Modify the risk by applying security controls that will reduce the likelihood of it occurring and/or damage it will cause.
  • Retain the risk by accepting that it falls within previously established risk acceptance criteria, or via extraordinary decisions.
  • Avoid the risk by changing the circumstances that are causing it.
  • Share the risk with a partner, such as a cyber insurance firm or a third party that is better equipped to manage the risk.

How much does cyber insurance cost?

An AdvisorSmith study found that the average cost of cyber insurance was $1,500 (about £1,160) per year for $1 million (£770,000) in coverage.

However, the costs will vary greatly depending on the organisation’s size, industry, the amount of sensitive data it processes and the strength of its existing cyber security measures.

Some insurers may also offer different levels of protection. For example, you could pay less each month but be covered against a smaller set of damages – or vice versa.

Is my existing cyber security enough?

Organisations are free to decide whether they should purchase cyber insurance.

In most cases, there is no legal or contractual requirement to have cyber insurance, so the organisation might decide that its budget is better spent on cyber defences and business continuity management.

However, there may well be times where it makes financial sense to invest in cyber insurance, for example when the costs of a breach far exceed the amount you would be paying in coverage.

Also, it’s worth remembering that almost all insurance brokers state that the organisation must take appropriate steps to prevent security incidents.

Make sure you have the right defences in place with our Cyber Security as a Service.

With this annual subscription service, our experts are on hand to advise you on the best way to protect your organisation.

They’ll guide you through a variety of security practices – including vulnerability scans, staff training and the creation of policies and procedures – ensuring that you have the foundations of an effective security strategy.

These measures will help you stay one step ahead of cyber criminals, preventing a wide array of threats and putting you in a position to claim competitive cyber insurance rates.



Source link