+44 (0)20 8559 2111

News

What Cyber Security Capabilities Do Insurers Look For?

Jul 2, 2024

Whether your business is large or small, you’re either preparing for a cyber threat by implementing IT Security features or planning to implement features to stop them.

Many people acknowledge that cyber events happen but still refuse to believe that they will happen to them, and their business.

One single point of vulnerability in your business is all it takes for a cybercriminal to access your network, log in to a device or the tools you use, or trick you or a staff member into sending them money.

As cyber threats continue to evolve and become more sophisticated, the demand for cyber insurance has steadily increased.

While high-profile cyber events and data breaches have highlighted companies’ potential financial and reputational risks, it doesn’t portray a true picture of the volume. In the latest Government stats, 50% of businesses report having suffered some kind of cyber security breach or attack in the last 12 months. This number is much higher when you look at the size of businesses; medium businesses (70%), large businesses (74%) and high-income charities with £500,000 or more in annual income (66%).

As data protection and privacy regulations (such as GDPR) become more stringent, and more and more businesses are being tricked into sending money to cyber criminals, businesses are turning to cyber insurance as a way to mitigate potential regulatory fines, legal costs and reclaiming monies.

Cyber Insurance policies

Cyber insurance policies are becoming more flexible to the needs of businesses and the Risk appetite.

Policies can be tailored to businesses of any size, so it’s worth speaking to a broker to find out what cover can be arranged for you.

The cost of cyber insurance

The cost of cyber insurance premiums varies significantly based on factors like your company’s industry, size, the volume and type of data you store, IT security strategies and coverage limits, and what kind of additional risk management services you would be looking for.

Again, policies can be tailored to your business, so it’s worth speaking to a broker to find out what can be arranged to suit your business needs.

What you need to know about cyber insurance

Whilst Cyber Insurance is generally not mandatory for companies, there are situations, for example, contractual obligations or industry drivers that prompt you to consider obtaining a cyber insurance policy.

Insurance companies are placing greater emphasis on risk assessments and underwriting processes, so you will likely need to demonstrate what IT security measures and practices you are using or not using in order to obtain cover.

Here’s an overview of the typical process and the requirements that insurance companies might ask for in terms of demonstrating security controls:

  1. Proposal

    The first step is to fill out a proposal. This will gather information about your company’s data storage and how much of it is personally identifiable, operations, IT infrastructure, security measures, and any previous cyber incidents.

    Depending on your business, you may then be invited to provide further evidence to support your application, including:

  2. Risk Assessment

    Insurance companies may want to conduct a risk assessment based on the information you provide in the application. Underwriters will evaluate the industry you work in, size, data handling practices, security controls, and historical cyber incidents. This assessment helps the insurer understand the level of risk associated with insuring your company.

  3. Security Controls Assessment

    Insurance companies can also require you to demonstrate your cybersecurity measures and controls. This might include providing documentation and evidence of the following:

    Security Policies and Procedures: You may need to show that you have cybersecurity policies and procedures in place, and that they are regularly updated and communicated to employees.Network Security: Insurance companies may ask for details about firewalls, intrusion detection systems, encryption protocols, and other network security measures in place.

    Data Protection Measures: You may be asked for information on how you protect sensitive data, such as customer information and proprietary data, through encryption, access controls, and secure storage.

    Incident Response Plan: Insurers may want to know or see your incident response plan. This includes steps for containment, investigation, communication, and recovery.

    Employee Training: You may need to show that you regularly train employees about cybersecurity risks and best practices to prevent social engineering attacks and human errors.

    Vendor Management: Insurance companies might inquire about any third-party vendors/systems/tools, as they can introduce risks to your environment.

    Patch Management: Demonstrating a systematic process for keeping software and systems up to date with security patches is important to insurers.

    Penetration Testing and Vulnerability Assessments: Some insurers may require evidence of regular penetration testing and vulnerability assessments to identify and address potential weaknesses.

    Multi-Factor Authentication (MFA): Implementing MFA for critical systems can improve your cybersecurity posture, and insurance companies may want to know if it’s in place.

  4. Underwriting

    Based on the risk assessment and the information provided by the company, the insurance company’s underwriters will determine the coverage limits, exclusions and extensions, and premium rates for the cyber insurance policy.

  5. Policy Issuance

    If both parties agree on the terms, the insurance company will issue the cyber insurance policy, outlining the coverage, limits, exclusions, and any conditions that need to be met.

  6. Ongoing Monitoring and Reporting

    Some insurance policies may require ongoing monitoring of cybersecurity practices and regular reporting of security incidents or IT environment changes.

Understanding your security

It’s important to note that the decision to obtain cyber insurance is based on a thorough assessment of your company’s specific risk profile, cybersecurity measures, and potential financial exposure.

You should work closely with an insurance broker who can arrange a policy that aligns with the business’s unique needs and risk tolerance.

Additionally, the landscape of cybersecurity and cyber insurance is dynamic, so it’s important to stay current with the latest trends and regulatory changes.

For further information on how Cyber Insurance can support your business, please speak to our team. Alternatively, if you are a client, please speak to your adviser.