Taking a proactive approach to cyber insurance

Cyber insurance is becoming an increasingly significant safeguard for businesses across all industries. It adds a layer to an organisation’s security infrastructure, helping to bolster its financial resilience in the event of an incident and provide further peace of mind. It is, however, becoming more and more difficult to obtain.

This is because, as the cyber threat landscape continues to evolve, the insurance market evolves alongside it. Policies are becoming more specific, more expensive, and more exclusive in their coverage. This means for businesses looking to take out cyber insurance, it isn’t just a simple process of picking a provider and paying the fees. Instead, they must ensure their security is up to the standards of their insurer – and that they understand the terms of the coverage – or else any cyber claim application will either be denied or come with a hefty premium.

Understanding cyber insurance coverage

First of all, before taking out any insurance policy, it is crucial that businesses understand exactly what is covered by the policy they are signing up to, including any additional restrictions or exclusions that might lead to a claim being rejected. Businesses will be expected to prove they took appropriate measures to prevent any incident and, if they can’t, may be refused a payout in the aftermath. Given the soaring costs of cyber policies, it’s imperative that those taking out coverage are fully aware of what they need to evidence when claiming.

Additionally, companies should regularly check for additional exemptions from the insurer as to what will be covered. Lloyd’s of London’s recent decision to remove coverage for state-sponsored attacks is a move that will likely be echoed by the majority of providers and, along with other restrictions, limit the amount of damage that can be absorbed. It is also worth noting that many insurers are stipulating that, in the event of a breach, they will be the ones to choose the company investigating the attack.

Organisations must therefore have a firm and up to date understanding of all the requirements and restrictions outlined in their policy, before committing to the insurance, or else they may find themselves in a difficult position when trying to claim.

Becoming eligible for cyber insurance

Once a business has extensively reviewed their policy, the next challenge is meeting its eligibility requirements, which insurers have refined in line with the growing number of threats. Organisations now need to demonstrate they have robust and effective security measures in place, including access controls, network, cloud and endpoint protection, monitoring tools, and regular security awareness training and testing.

To prepare themselves for any assessment, organisations ought to perform a security audit and ensure they comply with the insurance requirements before applying, as well as maintaining compliance with any additional industry-specific regulations. These requirements are likely to continue evolving, alongside the threat landscape, and it is worth regularly checking for updates – as some requirements may take advanced preparation.

One area that we predict insurers will start paying further attention to is an organisations previous history of cyber incidents. Similar to reporting any prior traffic incidents when applying for car insurance, it is likely that insurers will expect companies to disclose any previously recorded attacks and details on how these were managed. For companies to be able to provide this evidence, they will need to have already employed monitoring tools to gather and store this information.

Supply chain security is another area that will likely be subject to further scrutinization. As the digital supply chain grows, so does the attack surface, making it a more inviting target for threat actors. This has led to strengthening supply chain security being included in mandates for the more highly regulated industries – such as the DORA regulations for financial services. Again, this will require businesses to put additional tools in place (such as Zero Trust Network Access) to improve their risk management over third-party suppliers and provide evidence to their insurer.

The future of cyber insurance

The cyber insurance market is constantly evolving and, to benefit from it, businesses need to not only meet current requirements but also anticipate future stipulations. To do so, companies must assess and upgrade their current security infrastructure and prepare to invest in future-ready tools (such as enhanced incident reporting and supply chain security). This will not only help companies secure insurance should requirements change, but it will also strengthen their security environment and bring down the costs of their premium.

To help you to prepare for a cyber insurance assessment, we can provide a free security health check, simply enter your details below.

For further insight on the future of cyber insurance, read more from our Chief Financial Officer, Mark Hunter: Prepare now for cyber insurance, even if unsure you need it.