Insurance is one of those things that you hate to pay for until you need to make a claim. You then realise why you paid the money (if the policy pays out!).
You can get insured for most things; for example, Alien Abduction, Wedding ‘Change of Heart’, and even body parts, should you be so inclined (Tom Jones allegedly insured for his chest hair to the tune of £5 million); however, you may find it increasingly difficult, in future, to obtain cover for Cyber incidents.
Why?
Insurance firms piled into a seemingly lucrative market by offering Cyber Insurance which would cover many aspects of a cyber breach – the cost of ransom, recovery, incident management and reputation repair, amongst others. However, the claims rates have been such that many providers are withdrawing from the market. Those left ensure that their potential clients are subject to rigorous questions about their cyber security readiness and their application of cyber awareness across their business.
Cyber insurance is no longer a thing you can just go and buy after searching for the best price – you will probably have to fill out a comprehensive questionnaire that will not only ask what equipment or software you might have deployed, such as firewalls and spam filters, but also if you have policies in place and a cyber awareness training programme that educates your employees to spot potential threats. The consequence of making a weak application for insurance will be either higher premiums or, most likely, the inability to get insurance at all.
Double trouble
If you currently have a mindset in your enterprise that serious cyber security is for other businesses and that cyber insurance is an expensive ‘must have’, then you may be in for a surprise. Soon, to get any cyber insurance that is of any value (it pays out!), you’ll have to pay good money to put protections in place to qualify. Not only will you have to invest in a multi-layered security approach, but you’ll also need to ensure that it is always current and subject to audit.
For some businesses, quite rightly, Health and Safety is a ‘must do’ and will undoubtedly be a foundation discipline which is a focus of the business – often being the first agenda item at a board meeting. Being cyber safe is now racing up behind this to consume management time and make the organisation cyber fit for the current climate.
Where to start?
Being reactive is no longer an option. This means, of course, being proactive – doing something – putting a framework in place and proving that you are compliant. For small and medium-sized businesses, a good place to start is with Cyber Essentials and Cyber Essentials Plus, a framework devised by the UK Government by the National Cyber Security Centre (NCSC). By gaining certification under the scheme, you can show that you are committed to being Cybersafe.
Beyond the basics
For small and medium enterprises, the bar to reach becomes higher as the complexity of the organisation and the threat surface increase. This is when it is worth considering a more comprehensive framework, such as the CIS controls (Centre for Internet Security).
Following the CIS controls and implementing the policies will improve your overall security stance and the chances of your getting insured at a reasonable cost.
Benefits beyond insurance
The effects of a cyber compromise can be profound. It may stop you from doing business whilst you remediate the issue. It could result in you paying out a ransom. It could see the loss of vital money through a redirection of funds – all in themselves a disaster. Sure, you may get some money back through that expensive insurance, but will you fully regain your reputation?
People work with people they trust. If you are compromised and threaten the integrity of a business partner’s security, whether customer or supplier, they will potentially consider if you are a threat to them. By showing that you are committed to being Cybersafe you are also displaying a commitment to their business.
