With cyberattacks on the rise, cyber insurance is becoming more than simply a buzzword; for many companies, it is a necessity. Unfortunately for them and as recent headlines can attest, getting cyber insurance is becoming more and more challenging.
Many of our customers have questions: they want to know what cyber insurance is, why they need it and how they can go about getting it. That’s why we had our Information Security Officer, Paul Delahunty, sit down and answer these questions and more.
What is cyber insurance?
Cyber insurance does not differ greatly from the other types of insurance, for example, travel or health insurance, that we are all familiar with. Simply put, cyber insurance is a policy taken out by organisations to mitigate the risks of cybercrime and data breaches.
Who needs cyber insurance?
The vast majority of organisations do not need cyber insurance. However, some organisations or projects do require 3rd party service providers to have cyber insurance, for example, when replying to a tender.
Aside from this, cyber insurance is not really necessary, however, it may be useful to an organisation that fears being seriously impacted by a cyber-attack or data breach. Nowadays, that is unfortunately almost every organisation.
What do I need to do to get cyber insurance?
In the past, getting cyber insurance was not an impossible task. However, over the past number of years, it has become increasingly difficult. This is due to:
1. The volume of attacks hugely increasing;
2. The impact of those attacks becoming greater and greater.
The combination of these two factors means that insurance companies are increasing both the cost of cyber insurance policies and the minimum criteria to become applicable for such a policy.
While the exact criteria vary from insurance company to insurance company, in general, an applicant will need to show that they take security seriously and have reasonable protections in place.
How much does it cost?
Like any insurance policy you wish to take out, this depends on a number of factors. Essentially, it comes down to how exposed the insurance company believes itself to be. Factors such as the industry your organisation operates in, the level of cover required, the type of data your organisation typically processes, and the level of overall security in the organisation all play a key role.
An organisation with average or poor security that processes sensitive data which has previously been the victim of a breach, is likely to have a very high insurance premium (if they even manage to get a quote at all). Simply put, the lower the risk you pose, the lower your premium will be.
Is cyber insurance worth it?
This varies from organisation to organisation. Ideally, an organisation should perform a risk analysis to help establish this. A risk analysis is where all the risks are written down and rated, depending on their likelihood and the impact of each individual risk.
Once this is done, mitigations are put in place to either lessen the likelihood or the impact of the risk. This, in turn, lessens the risk itself. At this point, the organisation will be left with a “residual risk”.
A “residual risk” is the risk left over once you’ve done all you can to mitigate it. The organisation then needs to decide if the cost of the insurance is worth it, compared to the overall risk.
Why am I having trouble getting cyber insurance and what should I do?
Cyber insurance is becoming more and more difficult to get because insurance companies simply cannot afford to keep paying out for breaches. Therefore, insurance companies are becoming reluctant to cover anyone they don’t already consider secure.
So, if you can’t get cyber insurance, what can you do? You can begin by looking at other ways to mitigate cyber-attacks and data breaches. In much the same way as fire insurance does not stop fires, cyber insurance will not solve your cyber security issues and it will not prevent a successful attack; it’s merely just a safety net in the event of a damaging attack.
Like with any cyber insurance policy, you will still take reasonable precautions to mitigate an attack. Once you have these in place, perform a risk analysis to assess your new risk profile. You may, in fact, find that you have mitigated the risks to such an extent that cyber insurance is no longer an urgent issue.
Navigating cyber insurance can be a daunting task, but our experts are always only a phone call away.