Cyber Insurance: The full guide to help you protect your business

A cyber incident can impact a business in a variety of ways. It is important to build a full understanding of how and what effects this will have on the organisation. This is why Cyber Insurance is a must for any business.

This article has been written by EMSOU and seeks to promote good cyber security among businesses and the public. If you require any further assistance or guidance please contact the EMSOU Protect Team or your local Force Protect Team.

Insurance has been used to minimise risks for many years. Property insurance can be traced to the Great Fire of London, resulting in the first fire insurance company in 1681.

Accident insurance was first offered in 1848 by The Railway Passengers Assurance Company. They charged higher premiums for second and third class travel due to the higher risk of injury in the roofless carriages.

The first life insurance policies were taken out in the early 18th century.

In the late 1680s, Edward Lloyd opened a coffee house in London and the first marine insurance was offered to merchants. 320 years later one of the first cyber liability policies was developed for the Lloyd's of London market in 2000.

Today many businesses are looking to Cyber Insurance to minimise the risks to their operations. News reports of yet another costly attack grow more frequent, with recent attacks leading to disruption of health care system in Ireland and New Zealand.

Most insurers routinely covered ransomware under property and casualty policies. That all changed in 2017 with NotPetya which caused an estimated $10 billion in damages globally.

Where to start?

Check if your organisation already has cyber insurance in place as part of existing policies, such as business interruption or property insurance. These may provide some level of coverage for cyberrelated losses or they may specifically exclude certain cyber-related incidents.

Managing cyber incidents may require in-depth technical knowledge. As well as minimising business disruption and providing financial protection during an incident, cyber insurance may help with any legal and regulatory actions after an incident.

It is important to identify what within the organisation needs protecting the most and identify the highest risk scenarios. Meeting the minimum cyber security requirements specified by an insurer; might not adequately protect your organisation.

Cyber insurance will not solve cyber security issues and will not prevent a cyber breach/attack. As with any insurance policy holders are expected to have adequate measures in place to protect themselves.

Some insurers offer discounts to organisation with recognised cyber security defences in place, such as Cyber Essentials, or Cyber Essentials Plus. As well as potentially lowering premiums, completing schemes like these demonstrate to customers, partners and suppliers that your organisation takes cyber security seriously.

A cyber incident can impact a business in a variety of ways. It is important to build a full understanding of how and what effects this will have on the organisation. This includes the financial impact of business interruption, loss of reputation and the associated costs of response and recovery. Good Cyber practices will ensure that risks can be reduced; ensuring backups are kept separate from your network, or in a cloud service designed for this purpose, will reduce the impact of attacks such as ransomware.

Unlike a fire or theft, cyber incidents are often not restricted to a single location. Understanding the inter-dependencies between geographically separated parts and how your organisation operates is vital to determine the potential extent of an incident.

Before purchasing cover, evaluate how important data, systems and devices are to operations, so an appropriate level of cover can be set.

Check in detail what the policy covers and what is excluded. For example, some insurance policies will not cover monies lost through business email compromise fraud, a relatively common incident that may not be covered by a standard cyber security policy.

Questions to ask: 

• What services are covered by the policy? 

• Many insurers offer cyber security consultancy services and risk management support to policyholders. Do these support your overall approach to cyber risk management? 

• What services do the insurer provide in response to an incident to help manage recovery? 

• Are services such as IT forensics, legal assistance or public relations support included? 

• Do they use an outsourced Cyber Incident Response (CIR) organisation or an in house Cyber incident response team? 

• Can you choose from a menu of services and risks? 

• What if you fall victim to a type of attack that did not exist when the policy was taken out? 

• Does the policy covers claims for compensation by 3 rd parties in the event of a cyber-attack? 

• Is cover for cyber-related incidents such as computer-enabled fraud included? 

• If personal data is lost as a result of a data breach at your organisation is ongoing support for customers included (credit monitoring subscriptions and checks)? 

• What are the limits of the policy, and whether they are appropriate for your organisation?

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).