Why are more businesses taking out cyber insurance?
The popularity of cyber insurance is steadily rising.
And it’s not surprising, with 40% of UK businesses being targeted by a cyberattack in the past 12 months. Research suggests this figure, in reality, is higher, as cyberattacks are underreported (Cyber Security Breaches Survey 2022).
Cyber Insurance: Core Business Risk Management
Companies House advise that businesses seriously consider cyber insurance. They warn that cyberattacks are emerging as one of the biggest risks facing businesses of all sizes, particularly as businesses have more data assets. Cyber security, today, is a core element of business risk management.
Organisations with cyber liability insurance are taking the right steps to manage their risk and ensure their longevity in the modern, digital environment.
Will my cyber insurance pay out?
Organisations should be aware of the responsibilities they must uphold for their cyber liability policy to pay out in the worst-case scenario. Any failure to meet insurance terms, may lead to the insurer not paying out.
Your responsibility to mitigate cyber risk
All cyber insurance providers expect the policy holder to take responsibility of mitigating risk, therefore limiting the chances of an incident. Cyber insurance conditions generally include many best practise cyber security controls. These controls limit the chances of cyber accident/incident from ever taking place. Mitigating risk and the likelihood of an accident are common in insurance policy terms, for example:
Specifying that you must have a firewall in place for cyber security is similar to a fire alarm being specified to prevent a fire in a fire insurance policy.
If your business premises had a fire, you would not expect a fire insurance policy to pay out if:
You did not have a fire alarm
Your fire alarm was faulty, or not working because it had not been tested
The same can be said for the cyber security controls stipulated in cyber insurance policies.
Continue reading our blog or viewing our brief video below.
Key cyber insurance considerations
There are several common cybersecurity measures that insurance providers expect an organisation to implement for the policy to pay out. Here we list the most common cybers security controls stipulated in cyber insurance policies, as well as other important considerations when choosing a cyber insurance policy:
- Read terms and conditions
Insurance conditions vary from one policy to another, depending upon your industry, insurance provider and your organisations’ specific risks. It is important to read the terms and conditions in your policy to understand what cyber controls need to be implemented and when you are not covered.
- Firewall Protection
Computer equipment connected to the internet or any other external network must be protected against unauthorised access by a suitable firewall. The firewall will need to be updated at least once a month, if not automatically. Cyber insurance will not pay out if the firewall is not in effective operation at the time of a loss.
- Software updates
Software updates are a standard cyber insurance term and mitigate known vulnerabilities. Cyber insurance policy holders are typically requested to ensure that firmware, operating systems, software and programs are installed within 14 days of an update being released by the manufacturer or provider. Software updates: Smart devices, tablets and phones.
Updates are not only required on computers, but also smart devices, tablets and phones – any device that has access to your network.
- Automate software updates
Organisations should ideally automate security updates to avoid falling foul of this criterion.
- Outdated operating systems
Research shows that 16% of businesses and 14% of charities have unsupported versions of Windows installed. If any of your computers run on Windows 7 or 8 (pre-Windows 8.1), then you are no longer supported or receiving important security updates.
- Access and Passwords
Change default passwords
Some of the biggest cyber-attacks have been caused by organisations failing to change a manufacturer default password. Ensure that all passwords are changed from their default, otherwise, this oversight could void your cyber insurance.
Individual ID and password
All computers should also have an individual ID and password. Group or shared usernames/passwords will void your cyber insurance policy.
Limiting access
Access to your network should also be limited. For example, there is no reason why your marketing team needs IT administrator rights. Unjustifiable access to IT administrator passwords could void your insurance policy if this proves to be how a hacker gains access. Remember, a hacker can also be an employee.
- Only use work devices
It’s important to ensure that employees only use work laptops to access work networks. Employers have no control over personal device security, whether it be personal laptops, phones or tablets. If your network is hacked through an insecure personal device, then your claim could be void.
- Work laptops for employees only
Employers should ensure that work laptops aren’t being used by family members. Quite often, children use parent’s laptops to complete homework, however, if a zip file were to be downloaded as part of a homework take and initiate a cyber-attack, again, it could invalidate your cyber insurance.
- Data Backup
Cyber insurance also stipulates to back-up data. Policies typically request:
Two copies of data backup at different locations
At least two backup copies of your data should be saved separately/externally to the program. One copy can be saved on your premises, but a second copy should be saved off-site at a different location.
Frequency of data backup
Data should be backed-up at least every seven days. While some insurers may allow a longer period between backing up, organisations should consider, practically, how much data they can afford to lose in the worst-case scenario. Seven days of data is a significant amount of data to lose for most organisations.
Data backup checks
Data backup must also be checked and validated by using operating system routines or checks.
- Virus Protection
Cyber insurance terms typically state that anti-virus software should be in full and effective operation at the time of a loss. Anti-virus is normally automatically updated, but otherwise should be updated at least monthly.
- Pre-existing problems
Cyber insurance will not pay out if you are aware or ought to have reasonably known about a pre-existing issue, prior to the cyber insurance being taken out. For example, bad password management or out of date operating systems. If a pre-existing problem causes a cyber incident, then you may not be able to make a claim.
- Previously breached?
Cyber policies are typically invalidated if your organisation has been victim to a cyber incident/breach within the past three years. Once your network has been breached, or accessed through a backdoor, your network security is considered weak and therefore vulnerable/prone to future cyber incidents.
How do I know if I have the correct cyber controls?
We highly recommend that businesses complete a cyber security assessment to review the effectiveness of your cyber security and ensure the validity of your cyber insurance.
Simply email info@epx.co.uk or schedule a call directly with our cybersecurity consultant for a free consultation on 01785 878 311.JTNDZGl2JTIwaWQlM0QlMjJzbGlkZUJ1dHRvbiUyMiUyMGNsYXNzJTNEJTIyc2lkZS1idXR0b24lMjIlM0VHZXQlMjBJbiUyMFRvdWNoJTNDJTJGZGl2JTNF
