Main Navigation

How to get exactly the cyber liability cover you need

Home > Insight > Blogs > How to get exactly the cyber liability cover you need >

06th May 2016

With cyber attacks increasing every year, businesses seek cyber security insurance only to be shocked at high premiums for blanket cover they may not need. Using sophisticated cyber defence tools to accurately measure risk, that is set to change.

 

Cyber security is a growing concern for businesses and with good reason. Every year, the number of cyber attacks grows and with it, the need for cyber liability insurance cover (CLIC).

The problem is that premiums can be prohibitively expensive because policies are too comprehensive, covering absolutely every potential threat whether it applies to a business or not.

These high, unnecessary costs can be unfeasible for smaller businesses leading them to remain completely unprotected, crossing their fingers and hoping for the best.

Now, using new cyber defence assessment tools, brokers can help businesses tailor their policies to match their risk profiles: but the businesses need to understand how to make sure they are getting the best possible deal.

 

Confusion around insuring against cyber security risks

Security professionals have repeatedly warned, ‘either you have been data breached, or you just don’t know you have been data breached.’

Of 11.6million criminal offences reported in England and Wales last year, 7.6million were cyber crime and online fraud. It was the first time these crimes were included in the overall figures, doubling them as a result.

According to the Information Security Breaches survey 2015, 90% of large and 74% of small business had reported a data breach in the past year. This represents almost a tripling of cost to industry since the 2014 survey.

Only 18% of breaches are identified immediately, while 8% take longer than 100 days to spot. Cisco, through its OpenSOC hub, reported that in 60% of breaches, data is stolen in hours and 54% of breaches are not discovered for months.

That businesses should have cyber liability insurance cover (CLIC) in place is no longer contested in the USA, where there are mandatory requirements for data breach notification. Over there, it is now widely acknowledged that a combination of insurance, internal security policy and data protection IT is essential if a business is to withstand breaches.

New EU data protection rules are going to come into effect in 2018, including data breach notification requirements similar to those in the states. Businesses are being advised to take action now in order to be ready when the legislation comes into effect.

But, even with this on the radar, the Information Security Breaches survey revealed that 47% of companies didn’t feel CLIC was a priority, while 19% weren’t aware of its existence at all.

The problem with CLIC is that it’s a relatively new policy that aims to mitigate relatively new risks. As with many new things, both sides are still finding their way in understanding the threats and how they might impact business.

Without a standard means of testing and identifying specific cyber security risk, this problem couldn’t be accurately addressed. The common result was for insurers to over-estimate the costs and charge premiums to cover every possible eventuality that were far too expensive for the average business to pay.

But now, there are tools available to brokers that can ensure a business receives exactly the cover it needs reflected in an accurate, affordable premium based on specifc facts rather than industry averages.

 

Cyber Defence Assessment Tools

With the introduction of tools such as the MOD-developed Cyber Defence Capability Defence Tool (CDCAT), businesses are now able to fully understand their areas of vulnerability. Most importantly, they can then use these tools to ensure their insurance premiums accurately reflect their risks.

These methodologies and scoring systems measure cyber defence preparedness. They draw on proven cyber security controls and inputs used by commercial, military and intelligence operations around the world. Results are then presented in a format consistent with the industry standard for IT service management, such as ITIL, mapped to cyber defence categories.

Each of the different controls is labelled by definition describing its level of security compliance. An organisation is able to assess its performance, identify any gaps in its defence and see mitigation options, enabling improvement in any given area.

There are several cyber defence tools to choose from. The best of these meet the most stringent cyber security standards such as ISO/IEC27001:2013. The resultant framework of data is then used to create a matrix based on the cyber security life cycle process: Assess, Deter, Protect, Detect and Respond. This can then be mapped against the ITIL life-cycle, creating a universally recognised format that easily demonstrates your complete picture of risk.

Out of this complex combination of factors these cyber defence tools identify the most important, most effective controls against current threats, how well they have been implemented and where improvements can be made.

 

A swift route to affordable premiums

For insurance purposes, the benefits of accurate cyber risk assessment are clear. And this process shouldn’t take longer than a couple of hours; in fact, from a list of specific but simple questions, an expert should already have a good idea of your risk profile.

According to experiments by GCHQ and others, compliance with the top sixteen controls of the best tools mean a business is around 98.5% secure against standard threats that the average company is facing.

Applying a cyber defence tool to your risk assessment means leaving nothing to chance. Rather than relying on average data and anecdotal evidence from other businesses, you will be assessing your cyber security vulnerabilities through real, dynamic, proactive, risk appetite analysis relating directly to your unique business.

Accurate potential worst case scenario costs can be calculated, allowing the IT security team to present a viable business case for security updates. And you can present your insurance broker with actual facts and figures, ensuring your policy protects you in precisely the areas of most risk and no others.

If a company is assessed as being 80% secure, for example, an insurer will view this as the company standing a 20% risk of being successfully attacked. That risk can then be translated into calculated financial and reputational impact using various sources such as the Verizon Data Breach Report.

It is very important to ensure the data you’re measuring your cyber risk against is updated regularly. This will help you spot areas where they are overspending so that they can re-assign budget to areas more in need of financial support or investment.

 

What to ask your broker about cyber liability insurance cover

First of all, ask if they know how to measure your cyber defence risk accurately.

They should respond by presenting you with a short list of select questions relating to your current security protocol and policy. All questions should be fact based and relate directly to your specific business characteristics, such as:

  1. Does your organisation have an information security management forum or equivalent function?
  2. Does your organisation have an information security policy?
  3. Does your organisation have a register of critical information assets?
  4. Are physical security controls in place at all locations?
  5. Are IT and business procedures documents, conducted and reviewed?
  6. Are third parties secured, monitored and subject to review?
  7. Is regular testing conducted to assure the security posture of the organisation?
  8. Is an incident (such as a data breach) response plan in place?

Your answers will allow a broker using a cyber defence liability tool to ascertain a fairly good idea of your risk profile straight away. If they simply roll off a list of potential vulnerabilities without asking you for your specific input, the chances are they are not using a tool and your premium will probably cost you far more than it should.

Once your accurate risk level is determined, you should be able to work with your broker to match a policy to your exact risk level, rather than paying too much for areas of defence you don’t need.

Most CLIC policies will include:

 

Data breach / privacy crisis management

This covers expenses relating to the management of a data breach incident; the investigation, the remediation, data subject notification, call management, credit checking for data subjects, legal costs, court attendance, regulatory fines etc.

 

Multimedia / media liability

Third party damages covered can include website defacement and infringement of intellectual property rights

 

Extortion liability

This typically covers you for losses and professional fees related to dealing with extortion through things such as ransomware

 

Network security liability

This covers costs and damages to third parties as a result of your network being breached, such as data loss or costs incurred by your suppliers

 

Other questions you may want to ask:

  • What security controls can I put in place to reduce my premium?
  • What security risk review will you perform?
  • Will I get a reduction for each year I don’t make a claim?
  • How will a claim effect my future premiums?
  • How will you ensure my policy is up to date with current threats?

 

 

 

 

 

 

 

 

Back to Insights

You may also like

14th June 2018

Sovereign - delivering IT services & support

Technology is continually advancing and transforming the way you work. Businesses need IT to react quickly to change and help drive opportunity. Sovereign can help make it happen.

Read More

Categories

Tags