Business Advice for all UK firms from starting a business to flotation

The Cyber Insurance Essentials by Alex Rabbetts, CEO MigSolv

It is an unfortunate fact that last year 81% of large UK businesses and 60% of small companies suffered a cyber security breach.

Cyber threats are at the bleeding-edge of technology and evolve so rapidly that it is near impossible to keep defences watertight. With businesses increasingly dependent on IT and electronic data for their everyday activities, cyberattacks and failures can result in the complete failure of businesses or at the very least, force some to change their day-to-day activities. According to Government statistics 10% of organisations affected by a cyber-breach were forced into changing how their businesses operated.

Cyber insurance is an increasingly important way for businesses of all sizes to manage the threat of cybercrime however, less than 10% of UK companies actually take out specific cyber insurance protection. One might wonder why take up is so low. Incredibly, cyber insurance cover has been around 10 years but, it seems, many of us don't have confidence in the types of products or services currently being offered.

In the US mandatory notification laws for data breaches have encouraged businesses to take out insurance in 46 out of 50 states so clearly it is purchased, but with premiums varying tremendously as the insurance industry struggles to come to terms with how to underwrite such insurance..

A similar situation is likely to follow in the UK with the impending draft EU data protection regulation which will include mandatory notification of breaches. The scale and timing of the regulation are yet to be determined.

The basics to buying cyber insurance:

In general, cover against cyber theft or attack is roughly three times more expensive than general liability and six times more than property insurances. Insurers tend to offer a pricing structure that charges companies similar rates regardless of the underlying risk - a factor that has discouraged take-up.

For many insurers and brokers, the technicalities of information security and the details of how to deal with a data breach remain a mystery. A good starting point is to determine the costs or expenses you think need covering and the types of incidents you want cover for.

Finding a broker

A specialist broker will save you time and help you find out what is right for your business. This person may not necessarily be the same as one that provides your usual insurance. It is always advisable to provide a list of estimated expenses and costs that you might incur in the event of a data breach to them and discuss any exclusions that might be imposed that might prevent you from making a claim.

The right insurers

Good cyber insurance companies will provide robust support to a broker or direct customer. They will know the risks being taken in relation to your completed proposal form and the premium you will need to pay. Choosing the right insurer can be the difference between paying for too little cover that will never protect you in the event of an incident, paying too much for inappropriate levels of cover, or having cost-effective cover where the insurer understands the implications of a breach and the costs associated with it and applies an appropriate premium for the cover.

Policy

The right policy for your business, business model, industry, size and exposure is a complex exercise. It is important to understand the kind of support being provided as part of the cover. Some policies provide a point of contact who will handle everything from the moment the insurer has agreed the claim, whereas others will let you manage the incident and decide which services you want to use from a list of suppliers.

In some organisations that don't have the people or experience to manage a data breach incident, a third-party supplier is usually a better option.

Other issues:

All policies have a set of exclusions, terms and definitions but here are some other issues you should consider:

What security controls can you put into place to help reduce your premium?
Will you need to undertake a security risk review?
What is expected from you to reduce or limit the risks?
Do you get a no-claims discount each year?
What assistance is provided to improve information governance and information security?
What support, if any, will be provided to assist in making the right security decisions for the industry/business you are in?
The security/protection industry is fast changing so how can the insurance ensure that your policy is current?
Do all portable media/computing devices need to be encrypted?
What about unencrypted media in the care or control of your third-party processors?
Are malicious acts by employees covered?

For small and medium-sized enterprises (SMEs) there are some simple policies available, but sometimes these raise more questions than they answer as they do not always provide a long list of exclusions or terms and definitions. With detailed polices you should know better where you stand.

Unfortunately, no two businesses are the same when it comes to cyber risks, therefore it is key to understand the cyber risks your business faces and to ensure your cyber policy is tailored to mirror those risks.

Cyber insurance alone does not replace the need for good security practice and businesses should aim to be smart with their approach and consider the people, process, technology elements and the physical security when it comes to protecting against cyber threats.

Taking a proactive approach to security is maybe an alternative for some businesses. Having a reliable, risk free, cost effective disaster recovery position may well transpire to be less expensive than cyber insurance and, if done well, will afford a very good level of protection. Using a colocation data centre in a risk free location to provide your business with a second place for your data to be stored is almost certainly better protection for your business. Copying the data to the secondary location is cheap and enables the

business to have a completely safe copy of the data and, if it sits behind a well configured firewall, will provide protection against data theft, data loss and data breach. This approach would also make the calculation of a premium for cyber insurance much easier for the insurers because they could take a balanced view on the risk and the measures taken to mitigate against it.

There is a bewildering and confusing list of options but in ten years time cyber insurance will be as common as any other insurance policy.

Share |

Post Date: September 4th, 2015