Key Points
Cyber insurance won’t protect you from cybercrime, but it can provide financial security if you’re attacked. In this guide we’ll explain what cyber insurance covers, whether it’s right for your business, and how to use vulnerability management to keep your premiums down.
Who needs cyber insurance?
When Sony’s PlayStation Network was breached by hackers in 2011, it exposed the personal information of 77 million PlayStation users, preventing them from using their consoles for almost three weeks.
Sony spent over $170 million fixing the problem. Some of it would have been covered by cyber insurance – but Sony didn’t have any. Its commercial insurance only covered damage to physical property, leaving Sony to cover the full costs of any cyber damages.
Today, most big businesses have cyber cover, but cyberattacks are a fact of life for every business as attacks become increasingly automated and indiscriminate. Smaller businesses are just as vulnerable, especially if they lack the staff or know-how to defend themselves.
Get the basics right first
From phishing to DDoS attacks and malicious account takeovers, there are 65,000 attempts to hack SMBs in the UK alone every day. All of which could result in fines, compensation, lost revenue and business disruption. Start-ups in particular are agile and fast-moving, and lost revenue or downtime can quickly sink the business.
You need to do all you can to prevent attacks and protect yourself from threats because insurance won’t do anything to prevent breaches. Insurance is just a safety net and even then, just like other insurance policies, insurers won’t offer coverage or pay out to cover the cost of breaches if you don’t take reasonable steps to prevent hackers from gaining access to your data.
Is cyber insurance worth the cost?
Ultimately, you need to weigh up the cost of insurance against the cost to your business following a breach and the risk of fines, loss of revenue and reputational damage. Some customers and suppliers may expect you to be insured before they’ll do business with you too. If you’re not secure, neither are they.
Insurers also provide benefits of cover beyond paying out money for a claim. Many cyber insurance policies include services to help you deal with cyberattacks when they happen – from crisis hotlines, forensic research and rescuing data and systems to negotiating with attackers, and dealing with customers and staff who have been affected. This can be a real lifeline when dealing with an incident your business has never experienced before.
What does cyber insurance cover?
Cyber policies fall into first-party and third-party. In the event of an attack, most policies will cover financial and reputational costs if your data or systems have been lost, damaged, stolen or corrupted.
For you – the first-party – cover should include the cost of investigating a breach, recovering lost data, restoring your systems, loss of income, reputation management, and the cost of notifying any customers or third parties affected. Third-party coverage (claims against you) includes damages and the cost of defending yourself against claims of a GDPR or data protection breach.
What doesn’t cyber insurance cover?
As with all insurance, there are exclusions. Cyber insurance generally doesn’t cover potential future lost profits, or the loss of value of your business from the theft of your intellectual property.
More importantly, ransomware – money paid to hackers – may not be included, or only as an optional extra. Ransomware cover can be very expensive and, combined with cost pressures elsewhere, a lot of organisations are choosing to buy less insurance, hold on to more of the cyber risk themselves, and pay the ransom if they’re breached. When your business is on the line, after all the hard work that got you there, you’re not going to say no unless you’re 100% sure you can recover.
It’s worth noting that most governments and law enforcement agencies recommend against paying, or expressly forbid it. In our opinion, all options should be available to you, because if you can’t pay the ransom then you can’t determine your own future – with the caveat that these people are criminals. In the US, if proven that you’re paying a ransom to people on the sanctions list, you’re breaking the law and can go to prison. There are no cases of that happening yet, but more organisations are acting defensively because of it.
Remember that there may be no good option if you’re breached – you either go to prison, or you go out of business. So, you need to do everything you can to avoid being put in such a position by implementing a robust vulnerability management program.
How much does cyber insurance cost?
Your premium will depend on factors such as revenue, the industry you work in, the type of data you hold, and what cyber security controls you have in place. Policies can start from just £10 a month for a startup, so insurance doesn’t need to be out of reach.
Industries like healthcare or finance are more attractive to hackers. Because of the sensitivity of the information they hold, the levels of cover needed and resulting premiums can make insurance extremely expensive. Some insurers may even refuse to offer cover completely because of the rise in cyberattacks.
What do insurers require?
To keep your premiums down, insurers expect you to show that you’re committed to cyber security. They want to know that you practice good cyber hygiene and have robust security controls in place as part of an organised and proactive effort to manage cybersecurity risk.
Today, that means more than just anti-virus/malware protection, patching, staff training and a response plan. Insurers now scrutinise security controls and operational security and see what internal processes and standards you have to manage risk. Here are five tips to ensure you get adequate coverage and keep your premiums down.
1. Vulnerability management
Vulnerability management should be the starting point of every cybersecurity program. This includes vulnerability scanning, penetration testing, patch management and remediation.
Vulnerability management helps insurers understand the risks to your systems and data, so they can determine the appropriate level of coverage. There are several powerful and effective online tools like Intruder that will uncover known vulnerabilities and provide a summary of alerts for you to act on.
Regular vulnerability scanning should be paired with scheduled penetration testing for more in-depth, manual analysis. If the threat is low, insurers will be satisfied that you’ve taken steps to protect your data to avoid costly breaches.
Scanners like Intruder will also uncover any open ports and SSL/TLS certificates that have lapsed, as well as scan for vulnerabilities in your cloud-based services, and internal and external systems. These internal scans will also identify any endpoints needing critical software and firmware security patches.
2. Create an incident response plan
Insurers generally want to know how you’ll mitigate the immediate financial costs (how you will prevent further damage and ensure business continuity) and how you will manage in the long term (notifying regulators and helping affected customers) of any breach.
The quicker you can respond to a security incident, the less severe the damage will be and the less they’ll have to pay out. NIST’s Computer Security Incident Handling Guide is a good place to start for an incident response plan.
3. Protect your data, wherever it is
Your data is always on the move, whether it’s sent to a third party, uploaded to the cloud or held on portable devices like laptops and USBs. This always involves risk. The information is no longer protected by your network defences and can easily be compromised if it’s lost not encrypted.
That’s why insurers expect you to apply appropriate controls like encryption and multi-factor authentication (MFA). Vulnerability scanners can help uncover out-of-support or legacy systems sitting out of sight in your network – but which could still be an easy target for attackers.
4. Check compliance and certification
When you share information with third parties or use their services, you also share the risk. Check the security controls and practices of anyone you intend to work with. Some organisations and insurers expect you and your suppliers to have ISO 27001 or SOC 2 certification, both of which require regular vulnerability scanning and penetration testing.
5. Train staff in good cyber hygiene
The human factor is often overlooked, but employees will inevitably make mistakes that run the risk of compromising your systems and sensitive information. Ensure they understand the risks and why they need to stay vigilant with regular cyber hygiene training.
Pair insurance with vulnerability management
The role of cyber insurance may come after a breach, but it remains a useful component of any organization’s vulnerability management strategy because nobody is immune to ransomware, malware, DDoS attacks or other cyber threats.
And as the threat landscape gets ever more complex, some organizations will turn to cyber insurance for an added layer of protection. If you decide insurance is right for your business, you can demonstrate your commitment to cyber security with a vulnerability scanner and harden your security posture at the same time.
If you’re looking at insurance for the first time or trying to reduce your premiums, use Intruder to show that you take your cyber security seriously. Start your free trial today or get in touch for more information.