Cyber insurance is a growing market, though still very much in its infancy in the UK, and the products offered can differ substantially, as the insurance companies are still trying to quantify the risks.
The big insurance companies have been working on creating robust cyber insurance products for large organisations, and these include detailed questionnaires around how the their systems are secured and what has been implemented to mitigate the risks from cyber threats. This steers organisations to take responsibility for cyber security, and also enables the insurance company to help identify their exposure to cyber security risks.
In effect this is similar to household insurance. You are asked to confirm that you have fitted window locks and five lever mortice locks, and whether you have fitted a burglar alarm. If you have taken precautions to protect your property you will benefit from a lower insurance premium. If you have not, then you present a higher risk to an insurance company and may therefore be charged accordingly.
Will insurance companies pay out if you suffer a cyber security breach?
If you make false declarations about the precautions you have taken, the insurance company will be within their rights to not pay out if you have to make a claim. They are experts at knowing what your policy covers, and what is excluded.
Recently, more insurance companies have realised the potential to offer small businesses another insurance product and have been creating various cyber insurance offerings around this. Some offer a support team to minimise the effects of a breach once you have notified them that you have a problem, and incident management is important in these circumstances. Surprisingly though, some do not require you to make any declaration about the steps you have taken to secure your systems first – does this create a false sense of security?
Some of these insurance companies have adopted scare tactics to encourage businesses to buy cyber insurance. However, frightening people into buying cyber insurance does not help them to take the basics steps needed to reduce their risks from a cyber security incident.
Whatever your insurance cover is, some items are difficult to replace. It is difficult to quantify the effect on your business’s reputation of a cyber security breach. It would be difficult to replace a family heirloom that had been passed down through the generations if it was stolen. In the same way, how do you replace the reputation of the business you have spent years and considerable effort building and regain your customer’s trust if you are a victim of a cyber security breach?
Cyber insurance – part of the solution
Cyber insurance is certainly going to be part of the solution to help reduce the impact from a cyber security attack. You cannot completely eliminate the cyber security risks, but you can mitigate them by taking effective precautions. It is possible that cyber insurance may eventually become a business necessity such as public and employers liability insurance has.
When insurance companies understand fully what they are insuring you against, they will be in a better position to ask the right questions. Once the cyber insurance market matures in the UK, there will no doubt be a baseline of security they expect to be implemented, similar to locks for windows and doors.