OK, so if you’re reading this article, you’re obviously thinking about getting a Cyber Insurance policy for your business or organisation. If that’s the case, then you need to really think about what might be required in order to get the policy at all. Cyber Insurance, in our opinion, is a must have for all businesses or organisations of every size. However, the Cyber Insurance market has been stung over recent years, losing billions of £’s in the process. This is, in part, due to the fact that they provided policies to businesses that we’re anywhere near properly protected, so they had lots of claims on their hands, which had to be paid out, because the insurers hadn’t necessarily been collecting the right information from their customers during the application process. This has now led to higher prices AND more stringent policies and checks are in place during the application process.
OK, so what things do I need to think about in order to put a Cyber Insurance policy in place for my business?
Firstly, what is Cyber Insurance for?
Well, let’s first agree that it is most likely that you cannot stop all Cyber Attacks in your business. Not if someone really wants to attack you. The cold hard truth of the matter is that no matter how hard you try, a bad actor will always find a way in if they really want to. There are too many ways in, too many threats and those threats are evolving too quickly.
So if a breach does occur, what will your business do? Firstly, will you have the resources and cashflow to allow you to recover quickly? The answer is most likely no. Hence Cyber Insurance. Cyber Insurance provides you with the peace of mind (provided you’ve given honest answers and put in place any agreed security measures) that if someone does breach your defences, you have someone on hand to help you recover, both from a legal angle, but also from a monetary angle. A cyber insurance policy will pay for your IT Company to put your systems back in place, they will pay for your forensic testing (of IT equipment) where necessary if there has been a data breach. A Cyber Insurance Policy may even cover hardware that has been damaged in such a way that it can’t be re-used due to infection.
What will I need, to get Cyber Insurance?
You will need firstly, to think about what your requirements are. Cyber Insurance policies are usually designed in quite a bespoke way, based around the size and type of your organisation as well as the risk associated with insuring it. In order for you to go to market, you will need to know things like your business turnover (maybe profit and loss), number of staff, industries that you trade in, whether you work with businesses or consumers and quite crucially, whether your business retains any personal data relating to your staff and customers. In particular, they will be interested in sensitive data such as medical records, banking records and other sensitive data types such as religion, sexuality and so on.
As well as knowing things about your business, you’ll also need to know quite a lot of technical information around your IT Systems. You should think about asking your IT Person, or an external provider to help you to produce the answers they require as they won’t be easy to ascertain unless you are technical. It is MISSION CRITICAL that you get the technical answers correct. If you answer an insurers questions wrong, intentionally or otherwise, they will always look to get themselves off-the-hook in the event that you need to make a claim.
How can I choose a Cyber Insurance Provider?
There are many different ways for a charity or business to choose their insurance provider. To start with, you should speak with your general business insurer (the company you deal with for Professional Indemnity, Public Liability, Employer’s liability insurance and so on). It’s perfectly possible that your existing policy includes some areas that might help in the event of a Cyber Attack. Things like “Business Interruption Insurance” could well include an element of Cyber Insurance in your policy, so do speak to them.
Beyond your existing insurer, think about checking with your old friend Google on review sites and such like! One provider known to ESP is Hiscox, who provide all manner of business insurances including Cyber.
Another thing to think about here is applying for the Cyber Essentials accreditation for your business. Many providers of the certification process ensure that you get a small amount of free cover for your business. It’s usually £25k of coverage.
What are the technical requirements for Cyber Insurance?
Different insurance providers will require that you implement different technical solutions to satisfy their requirements. They will judge these based on risk to their finances, naturally. However, some things that usually come into play are listed below;
- MFA – Multi-Factor-Authentication. MFA means that as well as a username and password, you also use another authentication method to access your systems. You can find out more in our blog post – What is MFA?
- Spam Filtering (sometimes called Email Filtering). A Spam Filter automatically checks all of your inbound emails before you receive them, in case any malicious content is included. If it is, it gets filtered out. You can find out more about Spam Filtering in our blogpost – What is Spam Filtering?
- Antivirus and EDR. Antivirus sits on your computer and checks for malicious files and programs to protect you against them. EDR is a different form of antivirus. You can find out more about Antivirus in our blogpost – What is Antivirus?
- User Awareness Training. This one is coming up more and more as Cyber Insurers realise that the biggest weakness in any IT Security is people. User Awareness Training gives staff access to a training portal and ‘tests’ them regularly to see if they would get caught out by different email scams and so on. You can find out a bit more about User Awareness Training in our blogpost in Layer 1
- IT Policies. Many cyber insurers want to know that you have adequate IT policies in place to ensure your staff know what is expected of them. Additionally, some insurers now require a Business Continuity Plan (or Disaster Recovery Plan) to be in place.
Summary
In conclusion, there are many things to think about when it comes to Cyber Insurance for your non-profit, charity or business. The best place to start is to talk to your existing business insurer AND your IT Support partner. Involve your IT team throughout your application process to ensure that you are giving the right answers to the questions. Do expect though, that in order to be insured, it’s likely you are going to have to complete a Gap analysis and spend time and budget implementing IT Solutions to ensure that you are insurable. Whether you have your IT Support with ESP, or you don’t, we’d be happy to help you when it comes to Cyber Insurance. We can help you to make the right decisions as to what is right for you and how that connects to your IT Systems. Give us a call today on 03302020118 or don’t hesitate to drop us a message via our Contact Us page.