What to look for when taking out a cyber insurance policy
PA Consulting’s Carl Nightingale, cyber security expert, comments on what organisations need to consider when taking out cyber insurance policies, in an article in Computer Weekly.
The article explores what companies need to consider in light of increased cyber vulnerabilities under the post pandemic hybrid working model.
The article goes on to discuss the average costs of cyber breaches, to which Carl explains that the average global cost of a serious breach was about $3.9m in 2019 and is set to increase. Carl urges IT security leaders to start seriously investing in cyber insurance.
Carl goes on to add that: “Cyber criminals are exploiting organisations’ uncertainty about cyber security, realising they can tailor attacks to the risk appetites of their targets. In an increasingly popular type of ransomware attack, the criminals research their victims to assess how amenable they might be to paying. These criminals know that if the targets see their demands as more affordable and less disruptive than restoring systems, then they will often prefer to pay the ransom.”
Carl goes on to explains that only 11% of businesses have adequate cyber insurance, adding that a lack of clarity about cyber insurance is a key concern among IT security chiefs.
Carl adds that due to the immaturity of the market, “premiums are often inconsistent, expensive and vague about the extent of cover. This has made it difficult for CISOs to trust cyber insurance to pay out in the event of a breach or to be sure they are meeting the insurer’s auditing requirements.”
Considering the biggest challenges that IT security, Carl says that leaders tend to overestimate their cyber maturity and underestimate cyber insurance premiums, adding that: “premiums are often inconsistent, expensive and vague about the extent of cover.” He goes on to say: “This has made it difficult for CISOs to trust cyber insurance to pay out in the event of a breach or to be sure they are meeting the insurer’s auditing requirements.”
Adding to this, Carl comments that approaches and frameworks such as NIST CSF, CIS 20, NCSC Cyber Essentials and ISO 270001 don’t provide the necessary tools to help organisation to quantify risk nor does it help to avoid them.
Carl explains that: “The ethics of negotiating with criminals are questionable, and the business impacts will be substantial. It’s only a matter of time before regulators, private equity firms and shareholders start to call out such tactics.”
The article also considers the new developments in cyber insurance which help organisations to improve its approach to cyber security and avoid the need to pay ransomware attackers.
To this, Carl says that some of the key insurance providers are offering innovative cyber insurance options which tailor insurance covers to the induvial needs of organisations by bringing in cyber security experts to assess cyber maturity.
Carl adds that organisations might, however, be reluctant to bring in companies with products to sell run extensive investigations into its inner operations, adding: “That’s when it can be helpful to have an independent review of your internal risks”.
Carl goes on to say that: “a review can help organisations meet the audit and compliance requirements of insurance policies and will allow them to focus on key areas they need to seek assurance.”
To conclude, Carl explains that backup and recovery procedures should be reinforced by security controls and there needs to be a complete set of policies and procedures to support the information integrity objectives of the organisation. He says that such a policy should include processes to control the adding, change or removal of user access and manage data access requirements and regular review of that access.
He adds that security leaders also need to assess the risk to critical data at the operating system level and check physical security measures.