Jakub JirsÃ¡k - stock.adobe.com
Taking out insurance policies to financially protect our cars, homes and other personal effects against theft or damage is second nature to a lot of people. But where businesses are concerned, insuring against the worst happening to their IT infrastructure is almost an alien concept.
In a nutshell, cyber insurance provides companies with a layer of protection against potentially debilitating financial damages should an outage or data loss incident occur that could result in lost business, reputational damage or even harm to a long-standing customer relationship.
Having a policy in place can make a huge difference when the virtual chips are down, and a company is knee-deep in panic mode during a cyber attack, for example. Knowing there is a financial buffer in place can ease some of the stress associated with such an incident, and means the business can focus all its efforts on remediation, rather than worrying about the post-event financial fallout.
Before any such event occurs, though, the most important thing to understand is how cyber insurance works and can be used, and – more importantly – understand what a policy is not likely to cover.
When most organisations think about cyber insurance, it is often framed within a conversation about protecting businesses from the financial losses associated with malware and ransomware attacks – but the conversation should extend way beyond that.
Ransomware attacks are certainly an important financial risk for businesses to protect themselves against, but cyber insurance can also cover other data protection-related issues.
For example, it can offer indemnity against the misuse of misappropriated data and the fallout from it, brought about by data breaches. In the increasingly litigious, post-General Data Protection Regulation (GDPR) world we live in, any legal action brought about by data misappropriation could even cripple a small business.
Cyber insurance policies can also give businesses access to qualified recovery specialists, who can help them bounce back from an incident rather than having to rely solely on their in-house staff, who may not be quite up to speed on the necessary cyber response protocols.
Having access to such a resource can be invaluable during (or after) a time of cyber crisis for a company, because such specialists are well-versed in how to secure evidence for any investigation or legal action that takes place after the event.
But individuals who undertake this type of work do not come cheap, and a good cyber insurance policy will not only cover their costs, but also – potentially – the cost of an investigation.
Policies will vary from provider to provider and according to what is required. There are many different types of insurance, including policies covering systems being hacked, data loss, data theft and reputational damage, which is often the biggest issue for larger, well-known companies.
What is not covered?
All this is useful if a company is ever compromised, but any underwritten insurance comes with requirements placed on the company and limits in liability, like any insurance policy.
Just as home insurance requires the policy-holder to take due diligence and appropriate care to ensure the home environment is secure, the same also applies to a company’s virtual security policies and procedures.
First, be aware that if systems are compromised during a ransomware attack and the company pays the virtual ransom, all support from the insurance underwriters will be withdrawn and the company will effectively be left to its own devices to attempt a system recover.
It is not difficult to understand why – criminals do not stop when a target pays up, and it can encourage further acts of bad behaviour. This is often the reason why large companies and public sector players will make a point of stating that the ransom will not be paid.
Also, in the event of a ransomware attack, there is usually no way to get the data back. It is not unknown for people to pay a ransom only to discover that the unlock key does not work, leaving them out of pocket and still without access to their data.
Second, any policy will come with requirements on the company being insured. Data is the one thing that money can’t easily replace.
Read more about outages and cyber attacks
- The May 2017 WannaCry attack, which disrupted services at one-third of NHS trusts and more than 600 primary care organisations, is the closest the UK has come to a national cyber emergency, says the NCSC.
- British Airways appears to have amicably concluded its legal action against US real estate consultancy CBRE over the datacentre outage that grounded hundreds of flights during the 2017 May Bank Holiday weekend.
This expectation would include that the environment is patched and verified as secure by a third party, employing proven processes. This will place a load on the company being insured, but it also helps that company to up its security configuration.
The insurer will also probably dictate and detail items such as the level of security patching required, and insist on access audits and external tests being performed by third parties to understand the liabilities that are being viewed.
Also, cyber insurance is a discrete entity and should be treated as such. Cyber insurance policies should be detailed, specific and, more importantly, thoroughly understood and documented. Any oversight at this point could be catastrophic. The policy needs to be fully understood – not just pulled out in time of panic.
There is no real “one size fits all” scenario. Be careful and thorough when looking at cyber insurance policies. It is good practice to employ appropriately indemnified specialists to help develop a policy that is suitable for your company.
A good policy will look at many different scenarios and potential issues that may apply to your company and help to develop a value-for-money plan.
One thing is for certain – obtaining cyber insurance should be done by qualified specialists in the area, because there is so much at stake.
Trying to develop a policy by yourself is asking for trouble further down the line. The above information is intended purely to help business owners understand what is possible and should not be construed as advice on any particular function or facet. As stated, there are many specialists who can help to draft a proper policy.