Security breaches are mainstream, and every organisation should assume they will be a victim.
According to recent research published in the Cyber Security Breaches Survey 2022 by the Department for Digital, Culture, Media & Sport, in the last 12 months, 39% of UK businesses identified a cyber-attack.
Of these, the most common threat vector was phishing attempts (83%). Around one in five (21%) identified a more sophisticated attack such as a denial of service, malware, or ransomware. Despite its low prevalence, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms.
The threat of an attack is real and companies of all sizes need to take steps to protect themselves not only in new cyber security technology, but financial protection in the form of insurance.
Cyber insurance is a growing area in a company’s armoury. In the event of a breach, it is the insurance which ensures reputation is maintained during a troublesome time, giving you the financial, legal and technical support you need to stay resilient.
However, insurers are basing insurance levels on ‘standard of care’ requirements, which refers to the policies, procedures and safeguards that organisations need to have in place to qualify. These range from having a security plan and raising security awareness among employees, to specific technology safeguards, such as firewalls, access controls and real-time monitoring for vulnerabilities.
According to cyber insurer Assured Partners Ltd, insurance firms are showing a much greater interest in the information security practices and procedures that their customers have in place as demand for cyber insurance grows. And there is the rub – organisations wishing to take out insurance must be able to prove they have the standard of care requirements in place, which could mean opening their systems to the scrutiny of the insurers.
It could oblige firms to invest in security controls that are beyond the traditional demands of auditors, placing further pressure on financially strapped organisations.
There are examples where organisations believed they had sufficient insurance for a breach, only to have their claims rejected over specificities. This is because the onus is generally on the organisation that has suffered losses to prove its IT security policies and controls were stringent enough to deal with overly broad clauses, often contained in the small print of the policies. Such clauses are open to interpretation over what security is sufficient.
One form of demonstrating cyber awareness is for the organisation to undergo a certification such as Cyber Essentials or ISO2701. These accreditations demonstrate a level of data security and business awareness of potential cyber-attack threats. However, this alone is not sufficient; understanding what level of cover your policy gives is also critical as often the ‘business continuity’ clause does not fully cover a cyber-attack.
The six key areas to look for in cyber insurance are:
Where personal data (electronic or otherwise) is accessed without permission, the cover should give access to practical support like forensic investigations, legal advice, notifying customers or regulators and assisting in credit monitoring for affected customers.
Covering the cost of getting your business back to normal, compensation for loss of income including reputational damage. Plus, any additional costs such as overtime or additional staff costs.
Covering the cost to defend and settle claims made against you for failing to keep customers’ personal data secure, or for allegations of noncompliance with GDPR. Costs associated with regulatory investigations and settlement of civil penalties levied by regulators.
The reimbursement for the costs of repair, restoration, or replacement if your computer network, systems, website or electronic data are damaged by external threats as well as internal risks, such as malicious employee attack or operator error.
Extortion or ransomware
If a hacker holds your systems or data to ransom, or threatens to publish information, the policy should cover the cost of any ransom paid and associated expenses, but also the services of a leading risk consultancy firm, to help manage the situation.
In the event of a data breach, prompt, confident communication is vital to keeping a company’s reputation in-tact. The insurance should cover PR and crisis management, using a reputable agent running a 24/7 crisis press office.
Organisations need to tread a fine line between how much they are willing to invest in preventive controls and whether those investments will be seen as sufficient by the insurer offering the coverage. Until this market really matures and coverage becomes based on universal, standard principles, the only advice that should heeded is ‘caveat emptor’.
Colin Tankard is the managing director of Digital Pathways