Why are more businesses taking out cyber insurance?
The popularity of cyber insurance is steadily rising. Over the past two years, Gravity Risk Services has seen the number of new policies increase by over 23%.
And it’s not surprising, with 40% of UK businesses being targeted by a cyberattack in the past 12 months. Research suggests this figure, in reality, is higher, as cyberattacks are underreported (Cyber Security Breaches Survey 2022).
Cyber Insurance: Core Business Risk Management
Companies House advise that businesses seriously consider cyber insurance. They warn that cyberattacks are emerging as one of the biggest risks facing businesses of all sizes, particularly as businesses have more data assets. Cyber security, today, is a core element of business risk management.
Organisations with cyber liability insurance are taking the right steps to manage their risk and ensure their longevity in the modern, digital environment.
Will my cyber insurance pay out?
Organisations should be aware of the responsibilities they must uphold for their cyber liability policy to pay out in the worst-case scenario. Any failure to meet insurance terms, may lead to the insurer not paying out.
Your responsibility to mitigate cyber risk
All cyber insurance providers expect the policy holder to take responsibility of mitigating risk, therefore limiting the chances of an incident. Cyber insurance conditions generally include many best practise cyber security controls. These controls limit the chances of cyber accident/incident from ever taking place. Mitigating risk and the likelihood of an accident are common in insurance policy terms, for example:
- Specifying that you must have a firewall in place for cyber security is similar to a fire alarm being specified to prevent a fire in a fire insurance policy.
If your business premises had a fire, you would not expect a fire insurance policy to pay out if:
- You did not have a fire alarm
- Your fire alarm was faulty, or not working because it had not been tested
The same can be said for the cyber security controls stipulated in cyber insurance policies.
Key cyber insurance considerations
There are several common cybersecurity measures that insurance providers expect an organisation to implement for the policy to pay out. Here we list the most common cybers security controls stipulated in cyber insurance policies, as well as other important considerations when choosing a cyber insurance policy:
Read terms and conditions
Insurance conditions vary from one policy to another, depending upon your industry, insurance provider and your organisations’ specific risks. It is important to read the terms and conditions in your policy to understand what cyber controls need to be implemented and when you are not covered.
Computer equipment connected to the internet or any other external network must be protected against unauthorised access by a suitable firewall. The firewall will need to be updated at least once a month, if not automatically. Cyber insurance will not pay out if the firewall is not in effective operation at the time of a loss.
Software updates are a standard cyber insurance term and mitigate known vulnerabilities. Cyber insurance policy holders are typically requested to ensure that firmware, operating systems, software and programs are installed within 14 days of an update being released by the manufacturer or provider.
- Software updates: Smart devices, tablets and phones
Updates are not only required on computers, but also smart devices, tablets and phones – any device that has access to your network.
- Automate software updates
Organisations should ideally automate security updates to avoid falling foul of this criterion.
- Outdated operating systems
Research shows that 16% of businesses and 14% of charities have unsupported versions of Windows installed. If any of your computers run on Windows 7 or 8 (pre-Windows 8.1), then you are no longer supported or receiving important security updates.
Access and Passwords
Some of the biggest cyber-attacks have been caused by organisations failing to change a manufacturer default password. Ensure that all passwords are changed from their default, otherwise, this oversight could void your cyber insurance.
- Individual ID and password
All computers should also have an individual ID and password. Group or shared usernames/passwords will void your cyber insurance policy.
Access to your network should also be limited. For example, there is no reason why your marketing team needs IT administrator rights. Unjustifiable access to IT administrator passwords could void your insurance policy if this proves to be how a hacker gains access. Remember, a hacker can also be an employee.
It’s important to ensure that employees only use work laptops to access work networks. Employers have no control over personal device security, whether it be personal laptops, phones or tablets. If your network is hacked through an insecure personal device, then your claim could be void.
- Work laptops for employees only
Employers should ensure that work laptops aren’t being used by family members. Quite often, children use parent’s laptops to complete homework, however, if a zip file were to be downloaded as part of a homework take and initiate a cyber-attack, again, it could invalidate your cyber insurance.
Cyber insurance also stipulates to back-up data. Policies typically request:
- Two copies of data backup at different locations
At least two backup copies of your data should be saved separately/externally to the program. One copy can be saved on your premises, but a second copy should be saved off-site at a different location.
Data should be backed-up at least every seven days. While some insurers may allow a longer period between backing up, organisations should consider, practically, how much data they can afford to lose in the worst-case scenario. Seven days of data is a significant amount of data to lose for most organisations.
- Data backup checks
Data backup must also be checked and validated by using operating system routines or checks.
Cyber insurance terms typically state that anti-virus software should be in full and effective operation at the time of a loss. Anti-virus is normally automatically updated, but otherwise should be updated at least monthly.
Cyber insurance will not pay out if you are aware or ought to have reasonably known about a pre-existing issue, prior to the cyber insurance being taken out. For example, bad password management or out of date operating systems. If a pre-existing problem causes a cyber incident, then you may not be able to make a claim.
Cyber policies are typically invalidated if your organisation has been victim to a cyber incident/breach within the past three years. Once your network has been breached, or accessed through a backdoor, your network security is considered weak and therefore vulnerable/prone to future cyber incidents.
How do I know if I have the correct cyber controls?
We highly recommend that businesses complete a cyber security health check to ensure the validity of their cyber insurance.
Our trusted partners, cyber security specialists, Superfast IT, offer a Free Cyber Health Check to Gravity Risk clients. The Free Cyber Health Check will uncover whether your existing set-up meets Cyber Insurance policy terms and guidance on what to do next if you are falling short.
Simply email firstname.lastname@example.org or schedule a call directly with their cybersecurity consultant for a free consultation.
Don’t Assume you’re covered by IT Support
To assume, is to guess. The Cyber Security Breaches Survey 2022 found that businesses assume their IT providers have excellent cyber security. However, the National Cyber Resilience Centre warns that while IT providers maybe good at traditional IT and have good technical knowledge, it doesn’t mean they have good understanding of cyber security.
Is cyber included you IT support package?
Also be aware that the vast majority of IT companies don’t include cyber security as standard in their IT support package. Typically, cyber security is an additional paid service.
Recommended actions to businesses with IT support
- Check what’s included in your IT support package. Does it include any cyber security controls?
- Check that you have a service level agreement (SLA) in place.
It’s important to clarify your IT company’s responsibilities. An SLA ensures their duties are formally logged and will clarify what cyber security controls they look after.
- Is your IT support company Cyber Essentials certified?
IASME and NCSC highly recommend that businesses look for an IT provider that is Cyber Essentials certified. It will demonstrate they are serious about cybersecurity and competent in implementing security controls.
- Due diligence
If cyber security is included in your IT support, then follow up with extensive due diligence or measurement of KPIs. If your business risks are not reviewed throughout the duration of the relationship, then it’s likely your security is stagnant/outdated. Cyber security is continuously developing to address new cyber risks.
- Audit your Cyber Security
Audit and review the effectiveness of your cyber security. Take advantage of the Free Cyber Health Check for Gravity Risk Services clients, which is provided by our trusted cyber security partners, Superfast IT.