Maksim Kabakou - Fotolia

Security Think Tank: Cyber insurance may not provide cover where it is most needed

What should organisations consider if they are to prepare for cyber insurance?

Many businesses think their insurance policies will cough up if they are brought to their knees by a devastating cyber attack. But unsurprisingly, most business insurance policies were written 50 years ago to cover tangible losses only, and are not automatically updated to include the latest and greatest cyber risks.

In fact, most policies now come with small print detailing exactly what is NOT covered, or limit the compensation for a malware incident to fifty quid or something equally tiny.

Cyber insurance is one form of cover among many hundreds of others, so it is unlikely that your insurance broker will pick up the phone and try to sell it to you. About 99% of their business has to be around selling employer’s liability and professional indemnity cover, and I don’t think it is in your broker’s commercial interests to spend time selling you a rare commodity.

In short, you’re in this on your own. You will need to go and find cyber insurance, seek the help of a specialist broker, and end up paying through the nose for it.

But before you do this, exactly what do you need to insure? How much do you need to insure it for? Can you insure against gross negligence or employee dishonesty that causes a devastating incident?

Again, I am seeing policies that are mostly weighted toward insuring the business against an unknown assailant. They are covering you for 95% of the types of incident, but the remaining 5%, which include some of the most devastating attacks, are not covered.

Don’t assume insurance will solve all your problems, because insurers can quite easily squirm out of paying up if you have failed to adhere to industry best practice.

Insurance is one way to deal with risk. Businesses can also accept, avoid or mitigate risks. And they will need to if they spend any time reviewing what a cyber insurance policy covers.

Qualifying cyber security risk is not a complicated process. Frameworks such as ISO 27001 exist, which help you to identify the gaps and present an analysis to the business of what risks need treatment. A compulsive buy of an off-the-shelf cyber insurance policy is NOT the right way to go.

Policies that depend on an independent cyber security audit are coming to light, such as Cyber Essentials. If you complete a Cyber Essentials audit (pass or fail), then an insurance company will happily insure you against the breach of the controls you have in place. But it won’t cover controls that you don’t have in place. Or controls you thought were in place, but weren’t at all effective.

That way, insurers make money from the masses to pay limited amounts out to the minority, under a very controlled set of circumstances.

Don’t assume cyber insurance will have you covered. Do your homework, conduct an audit. Carry out an analysis of gaps. Give the business an honest picture of risks that need treatment, and then decide whether or not insurance is the right way to go.

Tim Holman is CEO at 2-sec security consultancy. ........................................................................................................

Read more on IT risk management