Experts produce first-ever technical advice on cyber insurance for businesses
07 August 2020
BUSINESSES HAVE been given access to the National Cyber Security Centre’s (NCSC) first-ever advice on taking out cyber insurance. The new cyber insurance guidance urges businesses to consider seven key questions to help them make informed decisions about cover.
The cyber insurance guidance has been produced by the NCSC in consultation with a range of major stakeholders and industry partners after calls for expert technical advice on the growing cyber insurance market.
The advice encourages organisations of all sizes to think about how insurance might help in the wake of a cyber attack and contribute to existing risk management strategies. Questions to be addressed range from what levels of defence are already in place to whether the insurance covers the aftermath of an incident.
Sarah Lyons, the NCSC’s deputy director for economy and society engagement, said:
“Businesses rightly want to be as informed as possible before they invest, but when it comes to cyber insurance there simply hasn’t been enough information up to now. That’s why it’s so important for the NCSC to offer its support by providing some clarity on the key issues to consider to ensure cyber security. Cyber insurance may not be right for everyone and it can never replace basic good security practice, but I would urge businesses to consider our guidance to help make the decision that’s right for them.”
Insurance sector comment
A spokesperson for the British Insurance Brokers’ Association added: “The British Insurance Brokers’ Association welcomes this guidance for businesses. This guide clearly explains how good cyber security and suitable insurance go hand in hand. Insurance brokers can provide support and advice to firms looking for cover and, in turn, businesses benefit from reducing the impact of disruption caused by a cyber attack.”
A spokesperson for the Association of British Insurers stated: “Being a victim of cyber crime can have a devastating impact on any business, whatever its size, with SMEs especially vulnerable. Nearly 50% of UK firms have reported a cyber attack over the last year, but despite this the take-up of cyber insurance by businesses remains low. This NCSC guide reinforces just how wide-ranging and serious the impact of a cyber attack can be, and why it’s important to manage cyber risk and put cyber security measures in place.”
Digital Infrastructure Minister Matt Warman explained: “It’s vital businesses take action to protect themselves and their customers from security risks. Cyber insurance can play an important part in robust risk management strategies. I encourage firms to consider this guidance and use programmes such as Cyber Essentials to make sure they have fundamental cyber security defences in place.”
Seven key questions
The new guidance focuses on the cyber security aspects of buying cyber insurance, posing seven questions senior leaders at organisations should be asking themselves:
*What existing cyber security defences do you already have in place?
*How do you bring expertise together to assess a policy?
*Do you fully understand the potential impacts of a cyber incident?
*What does the cyber insurance policy cover (or not cover)?
*What cyber security services are included in the policy and do you need them?
*Does the policy include support during (or after) a cyber security incident?
*What must be in place to claim against (or renew) your cyber insurance policy?
Having insurance can help businesses with recovery if they fall victim to a cyber attack by reducing disruption to operations and providing financial protection. However, cover cannot prevent a breach from happening so it’s vital for organisations to ensure they have fundamental cyber security defences in place, such as those assessed by the NCSC’s aforementioned Cyber Essentials scheme.
Cyber Essentials allows UK organisations to assess whether they have the measures in place to protect themselves from the most common cyber threats/ If they do, they then receive certification from the NCSC in partnership with the IASME Consortium.
Having certification may in some cases even help with obtaining a discount on cyber insurance as insurers know that the business has implemented basic protections.
Organisations can find a range of tailored cyber security advice and guidance on the NCSC’s website. Topics include mitigating against malware and ransomware attacks and securely managing an increase in home working.