The UK National Cyber Security Centre (NCSC) published some guidance this summer for organisations of all sizes who are considering purchasing cyber insurance.
The guidance is not intended to be a buyers guide to insurance – rather to enable organisations to decide if cyber insurance could contribute to how they manage their cyber risk. They confirm that to fully understand what insurance policy is right, organisations need to identify the risks they face, looking at cyber security as an integral part of their organisational risks. Good risk management is therefore key.Visit here; Cyberversicherung.
Questions to ask before you take out cyber insurance
The guidance includes a number of basic questions that organisations should consider before buying insurance.
Are you already covered? Before purchasing bespoke cyber insurance, the first thing to check is whether you are already covered as part of existing policies, such as business interruption or property insurance. These may provide some level of coverage for cyber-related losses, particularly if they are existing/historic policies. Alternatively, they may specifically exclude certain cyber-related incidents, a trend we understand is increasing with new policies.
What existing cyber security defences do you already have in place? The process of preparing to purchase cyber insurance may in itself be helpful. You may need to gather information about your security controls (technical, procedural and human) to provide to the insurer/broker. You should also identify what requires the most protection (your ‘crown jewels’) and the scenarios that must not happen. You may be able to secure a discount on insurance if you have recognised cyber security defences in place (for example Cyber Essentials) and so it is important your broker is aware of these. In addition, some organisations who achieve Cyber Essentials are provided with cyber liability insurance as part of the certification through the IASME consortium.
How do you bring expertise together to assess a policy? Cyber insurance policies often contain detailed technical information and cyber jargon – it is important that you understand the policy and identify those that can help with this (lawyers, technical experts, HR). If an organisation does not have direct access to technical expertise, their insurance broker, or use an NCSC-assured cyber security consultancy may be able to help.
Do you fully understand the potential impacts of a cyber incident? It is important to understand how a cyber incident will impact the different parts of your organisation. Understanding how your organisation operates, the inter-dependencies between different parts and potentially global nature of a cyber-attack is vital to determine the extent of an incident. For example, ransomware could mean systems in multiple locations are unavailable. (As an aside, the NCSC recently updated its ransomware guidance).