Cyber Insurance - what you need to know

In a world where cyber threats towards businesses are varied (and constantly changing), cyber insurance can help your organisation to get back on its feet, should something cyber-related go wrong. The NCSC has published guidance to help SMEs understand their cyber insurance needs and how they can get started should they decide to implement this for their organisation.

Read on to find out what cyber insurance is and how it could be an important asset to your business:

What is cyber insurance?

As well as minimising business disruption and providing financial protection during an incident, cyber insurance may help with any legal and regulatory actions after an incident.

Cyber insurance will not instantly solve all of your cyber security issues, and it will not prevent a cyber breach/attack. Just as homeowners with household insurance are expected to have adequate security measures in place, organisations must continue to put measures in place to protect what they care about.

Why do I need it?

Businesses of all sizes are open to cyberattacks and they can be difficult to recover from. It’s important to build up a full understanding of how you might be impacted, and the effects this will have on your organisation. This includes the financial impact of business interruption, and the associated costs of response and recovery.

Unlike incidents such as a fire or theft, cyber incidents are often not restricted to a single location. Understanding how your organisation operates and the inter-dependencies between different parts is vital to determining the extent of an incident, which may have global implications.

What does cyber insurance cover? Most cover responds to the immediate effects on the organisation by working to quickly restore network systems and data, while seeking to minimise losses from business interruption. For data breaches, there may be legal action from customers or other affected parties. The defence and settlement of such claims would normally be covered. Certain cyber insurance policies will go further and cover other cyber-related incidents such as computer-enabled fraud.

Make sure you understand in detail what the policy covers, and equally important, what is excluded. For example, some insurance policies will not cover monies lost through business email compromise fraud. This is just one instance where a relatively common incident may not be covered by a standard cyber security policy. For example, if business email compromise is an issue for you, you'll need to check that your policy covers this.

What support is offered after an attack? Some insurers will supply services that are useful during (or immediately after) a cyber security incident, such as IT forensic services, legal assistance or public relations support. They may put your organisation in touch with a Cyber Incident Response (CIR) organisation or their own in-house cyber incident response team. You may also find the NCSC's Incident Management guidance useful in thinking about how to plan, build, develop and maintain an effective cyber incident response capability.

How do I know which policy is right for me? It is important for you to identify what within your organisation needs protecting the most, and to also identify any scenarios that must not happen. Do not limit yourself to meeting the minimum cyber security requirements specified by an insurer; these might not adequately protect the things your organisation cares about.

Some insurers offer discounts if your organisation already has recognised cyber security defences in place (such as those certified by Cyber Essentials, or Cyber Essentials Plus) so ensure your broker is aware of these. As well as potentially lowering your premiums, completing schemes like these demonstrate to your customers, partners and suppliers that you take cyber security seriously, and for this reason should be considered even if you don't intend to take out cyber insurance.

Some organisations who achieve Cyber Essentials are provided with cyber liability insurance offered as part of this certification through the IASME Consortium. This won’t be suitable for all organisations and the questions in this guide are still relevant to check that any cyber insurance offered meets your needs. If you have any questions about this type of cyber insurance, please refer to the information published by IASME.

You can find a list of Cyber Essentials providers on our trusted partners page.

If you’d like to learn more, you can read the full NSCS guidance on choosing and implementing cyber insurance for your business on their website.

The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.