photon_photo - stock.adobe.com
Cyber insurance emerging as a compliance factor
Espria has added its voice to concerns that growing numbers of firms are going to fall foul of the demands of the insurance industry
Cyber insurance is becoming a form of compliance that is adding extra hurdles both managed service providers (MSPs) and customers have to jump over.
Those that fail to meet the needs of cyber insurers not only risk being left without cover, but also being exposed for holding a weak security posture.
Earlier this summer, MSPs were warned they needed to remain on the right side of the insurance industry to demonstrate their capabilities, and there are now concerns that SEME customers are also lagging behind when it comes to meeting the requirements of the cyber insurers.
Those that follow the activities of insurance underwriters have noted the demand for a range of certifications, including the likes of ISO 27001, Cyber Essentials and Cyber Essentials Plus, to qualify for cover. MSPs and customers also need to demonstrate they can prove they have deployed a range of measures, including incident response planning and two-factor authentication to demonstrate a level of defence against threats.
Ritchie Puckey, head of compliance at Espria, said those who assumed that cyber insurance was just a “tick-box exercise” and a case of filling in a form were sadly mistaken.
“This dangerous assumption is leaving small businesses seriously unprepared,” he added. “There is a cyber insurance crisis quietly unfolding for British SMEs [small and medium-sized enterprises] that most business leaders are currently underestimating. The flawed assumption is that a policy is a simple protection layer, but the reality has changed dramatically: cyber insurance is the new compliance. SMEs need to be ready to demonstrate exactly how they are managing cyber risk in the modern security landscape.
“Many SMEs lack this level of cyber maturity,” said Puckey. “We are seeing clients being refused renewals outright or hit with premium increases of up to 300% because they cannot demonstrate they are actively managing their risk. This isn’t just a theoretical problem; it’s leading to public and costly claim disputes where insurers argue that a lack of basic controls, and validation that the controls have been tested, invalidates the policy.”
Weighing up the risks
Puckey said customers had to weigh up the risks to reputation and the bottom line of failing to prevent a cyber attack.
“The conversation must shift from the server room to the boardroom; cyber security is both a financial and an operational risk that the chief financial officer and chief operating officer must address and shouldn’t ignore,” he said. “The question is no longer, ‘Are we insured?’ but, ‘Can we prove we are insurable?’
“UK SMEs cannot continue treating cyber security as an afterthought,” said Puckey. “It is now a fundamental requirement for financial viability and resilience, and insurance underwriters will no longer wait for you to catch up.”
Back in June, Robin Ody, principal analyst at Canalys, now part of Omdia, highlighted a growing gap in the MSP world between those who could demonstrate a tight grasp on regulations and data protection requirements, and those who are not up to the task.
“Partners have become the number one threat vector for customers, because a partner holds all the data,” he said. “And the more that they hold the managed services piece, the more that they hold the financial data and the more the MSPs have become the single threat vector for the channel. Now, the risk this poses to regulation in cyber insurance is incredibly high.
“What we are likely to see over the next few years is cyber insurers who will no longer be insuring customers because they have MSPs,” said Ody. “If you’re insuring a customer and they have a managed service provider, then you cannot quantify that risk, because that managed service provider isn’t insured by you and hasn’t been through your audit.”
