Uncovering the New, Stricter Standards Imposed by Cyber Insurance Providers
Cyber risk insurance is an important aspect of business protection and continuity planning, particularly for organisations operating in industries or sectors with higher security risks due to the nature or types of data they collect and handle.
For example, public sector organisations such as GP practices, schools and colleges must comply with robust data protection requirements to safeguard the confidentiality of pupils and families. Financial sector businesses are often assumed to be key targets for hackers and cybercriminals. Still, the level of protection they deploy means in real-world scenarios, a manufacturing company is more likely to be exposed to external threats.
As the prevalence of cybersecurity attacks, data breaches, and deliberate disruption grows, insurance providers have begun introducing more stringent requirements and conditions that a business or organisation needs to meet to qualify for advanced cyber risk insurance products.
Let’s explain what that means, how it may affect your risk profile, and how to access our newly published Cyber Risk Insurance Checklist to assess and audit your cybersecurity infrastructure.
How Are Cyber Risk Insurance Products Changing?
From 2020 to 2021, demand for cyber insurance soared, with 47% of all businesses opting to take out some kind of insurance protection – linked with the doubling of cyberattacks logged in the three years to 2019. As a result, insurance providers increased average premiums to manage their larger risk profiles and potential claim values.
Another factor is that the risk calculations associated with cyber risk products have become more complex, where insurance underwriters need to assess:
- The severity of a worst-case scenario cyber attack
- The cost of recovery and data retrieval
- The frequency of attacks and attempts
- The likelihood of future emerging threats
Where unexpected costs have grown, insurers have consequently introduced tighter terms and conditions which businesses need to comply with to be eligible for full insurance coverage. Whereas standard commercial insurance policies used to include a limited amount of cyber protection as a supplementary product feature, this is now far less common, meaning businesses need to take out separate, standalone cover.
All this means that cyber insurance has become more expensive, with fewer options to choose between, more inflexible eligibility standards, and a longer list of exclusions.
How Can Businesses Improve Access and Costs of Cyber Risk Insurance?
Many companies and public sector organisations have to make decisions, balancing the cost of advanced-level cyber insurance and the cost of investing in their IT infrastructure and cybersecurity defences to meet the conditions imposed by insurers.
However, it may be essential to consider upgrades and straightforward services such as regular software updates and introducing multi-factor authentication on email accounts, irrespective of the insurance position of the entity.
A business without cyber insurance that experiences a catastrophic attack or data breach could be facing a business-critical event, which may be challenging, if not impossible, to recover from. Those with insurance protection may find that outdated policies or a lack of adherence to insurance conditions means their policy is deemed invalid at the point of claim – an equally serious scenario.
Part of the resolution is often to consider in-house training, especially where staff use a larger amount of cloud-based technology such as data storage, remote network access and software applications.
As many of 99% of security failures involving cloud-based tech are found to be the fault of the user – meaning that insurers need a significant amount of assurance that an insured party has delivered the necessary staff training, introduced policies and procedures for employees to follow, and taken steps to mitigate the potential for inadvertent errors resulting in a data loss or cybersecurity breach.
Therefore, the insurance requirements aren’t all related to products, services or security tools. They also include mandatory terms such as delivering staff training, verifying that every workforce member has been trained in phishing attack simulations, and removing network administration permissions from non-IT teams.
Understanding Your Business Cyber Risk Profile
Before any insurer will offer a product or quote an insurance premium, they will need to evaluate the IT security threats most relevant to the business, how well the organisation is already protected, and the likelihood that an attack will occur and result in a claimable event.
Insurance underwriters will then identify the potential cost of a claim and the possible frequency of severe attacks occurring. This data then feeds into the insurance assessment and the decisions around whether to offer a product to an applicant and at what cost.
In some cases, insurers will be happy to propose coverage but will impose significantly higher premiums, excesses (or co-payments) and exclusions. The difficulty in this situation is that the insurance may be unfit for purpose if it provides very limited protections or would pay out a negligible value compared to the expense borne by the business.
Our advice is to review your IT security provisions and assets before comparing cyber risk insurance products to ensure you have a good idea about where you stand and how an insurer might view your business from a cyber risk perspective.
Accessing the Jera Cyber Risk Insurance Compliance Checklist
Jera’s recently released Cyber Risk Insurance Compliance Checklist is a great starting point and is formatted similarly to the risk assessment forms you may already be familiar with.
This free, downloadable and editable resource is designed to help you work through all of the potential conditions a cyber risk insurer might impose based on the sophistication of the insurance coverage you need and the risk profile of your organisation.
Simply work through each requirement, access the compliance examples to see what that might look like in your business environment, and then log the measures you have in place. If you identify a lack of compliance or can see that you do not meet even a minimum cyber risk insurance requirement, you can specify the changes needed and use this as a checklist to improve your prospects of applying for robust, competitively priced insurance protection.
Every condition that an insurer might impose can be swiftly addressed by working with an experienced, full-service IT provider, from implementing ongoing monitoring and security scanning through a Managed IT Support package to delivering staff training to upskill your workforce.
For more information about cyber risk insurance, understanding why your business has been declined insurance coverage, or areas needing further action identified through our checklist, please get in touch with the Jera team.