Maksim Kabakou - Fotolia

Security Think Tank: Ensure cyber insurance is right and helps reduce risk

What should organisations consider if they are to prepare for cyber insurance?

Cyber insurance policies for businesses, and the criteria used to write premiums, can vary. The size and type of business is typically assessed, but beyond this, the questions asked can start to look quite different.

For the insurer, these should serve to gauge an accurate view of an organisation’s critical assets and the maturity of its current cyber defences. In addition, the insurer should be able to build a picture to understand the businesses’s ability to resist and manage a cyber incident, as well as understand the fundamental business services that could be affected by such an event.

Typically, an insurer might currently assess a business’s cyber capability by asking some simple questions, such as whether systems, databases and emails are password protected. While this is a basic and fundamental security control, it is only one type of defence when it comes to a cyber defence strategy. It offers limited understanding of an organisation’s overall cyber resilience.

So how does the above affect what organisations should think about when looking for cyber insurance?

The first point is to look for an insurance policy that asks a breadth of questions. Given the complexities, changing threat and limited historic data that exists for cyber security, it is worthwhile seeking a more tailored policy. This will ensure that underwriters fully understand the level of impact you could be exposed to.

Uncertainty generally results in higher premiums, and the cost of cyber insurance can be as much as three times higher than more established liability risks. As you would with a consumer policy, comparing policies could see both a saving made and a more bespoke one being written.

Last, and most importantly, know what sort of cover you need. Check the level of cover being offered and what exclusions there are. A typical policy might cover costs for notification, crisis management and legal and regulatory defence, all of which will likely be needed in the event of a data breach.

Read more from the Computer Weekly Security Think Tank about cyber insurance

Some organisations may have a very specific reason for wanting cyber insurance, such as additional liabilities due to the EU General Data Protection Regulation (GDPR) that becomes enforceable in May 2018. If something like this is the primary driver for wanting such a policy, then insurance buyers may benefit from a detailed conversation with sellers to cover all areas of concern.

Overall, cyber insurance is a young market, but it is maturing. It may not be appropriate for everyone, but with rapidly evolving cyber threats, it is important that organisations manage cyber risk prudently, and identify if cyber insurance can indeed help them do this more effectively.

Gavin Cartwright is a director in Deloitte UK’s cyber risk team.

Read more on IT risk management