What is Cyber Insurance?
Cyber Insurance offers* to reduce the cost of a data breach
*requires additional preventative measures
A Cyber Insurance policy is only effective when part of an IT security strategy that includes other forms of data protection which are dedicated to reducing the risk of loss of or damage to information from IT systems.
I describe IT security as ‘the management of perceived risks for specific IT events’, and therefore Cyber Insurance is a valid method to manage and reduce risk.
Specifically, Cyber Insurance covers criminal damage or disruption to data, and in my experience Cyber Insurance policies issued in the UK also include subsequent loss of revenue and funds as well as the liability arising from an ‘IT security event’.
Certification reduces risk
To reduce the cost of Cyber Insurance, prove that you have reduced the risk using formal assessments. The Payment Card Industry Data Security Standard (PCI DSS) or the UK Cyber Essentials certifications are both excellent starting points.
BEWARE: The extent that Cyber Insurance will cover fines or penalties imposed by the regulator is unclear
A spokesperson for the UK Information Commissioner’s Office (ICO) in 2018 said that there was ‘nothing in the GDPR which either permits or prohibits’ insurance coverage for regulatory fines.
‘We are aware that there is insurance available against cyber risks and data breaches, but we are not aware whether insurance is available to provide cover against fines which may be issued by the ICO for breaches of the GDPR,’
Before the General Data Protection Regulations (GDPR) the EU’s main data protection law, organisations could be fined a maximum of £500k.
Since 25 May 2018, the maximum fine has is €20 million or 4% of global annual turnover (whichever is higher) for the most serious breaches of the regulations.
Data regulations force improvement
The regulations, including GDPR and the computer misuse ACT, will certainly continue to evolve and I advocate that strengthened regulation around the management of data improves the supply chain, personal privacy, and raises skills across the broader economy.
The UK Information Commissioner will increasingly exercise their powers in both investigation and enforcement, forcing organisations to better manage the data they retain and process, making data security a commercial differentiator.
Enforcement action, fines, and penalties imposed by regulators are likely to create a leader board effect, which will significantly accelerate digital skills and product maturity such as Cyber Insurance within those countries.
Develop a strategy for managing data risk
A well-designed strategy will include data use policies, IT support, security assessment, formal certification, cyber insurance, legal advice and public relations support.
Only certification is standardised
Other than certification, it would be a mistake to assume these elements are easily compared. Whether you’re considering changing IT support or a new Cyber Insurance policy, it’s vital to check that the provider’s offer, terms and conditions align with your needs.
Mind the gap
If your objective is to improve security, I advocate using a formal ‘IT Risk Assessment’. This must be objective and undertaken by a different team than those who are responsible for the current situation.
An IT risk assessment will help identify assets, threats and appropriate countermeasures; if you’d like me to help with an IT risk assessment, please get in touch.
BEWARE: Successful data breaches are increasingly the result of individuals being targeted, tricked or coerced
Increasingly, Cyber Insurance policies will specifically exclude actions deliberately carried out by a member of staff or by a third party in collusion with a member of staff.
Attacks include targeting individuals at home, holding personal data to ransom until either a fee is paid, or they follow specific instructions to infect their company’s network.
In every case I have been involved with, or aware of, timing and communication has been critical.
Choose the cover
As with any insurance, your Cyber Insurance policy will include a list of restrictions and exclusions. It is essential to consider each clause and the effect on the risks that you’re aiming to mitigate.
Importantly, where the IT risks are not covered sufficiently or where unnecessary cover is included, adjusting the policy to better fit is a usually possible. Where that’s not possible introduce other measures using technology or processes.
The policy excess
It is routinely reported that the fees paid to be released from ransomware that encrypts files have been negotiated down to less than £1000, an insurance policy with an excess of £1000 will not pay out.
It is common for organisations that have paid up previously will be targeted again, yet it is usually the case that subsequent breaches from the same group of criminals are specifically excluded and will not be covered.
In my experience, when a data breach occurs, a high speed of response using a well-rehearsed incident response plan and effective communication will reduce the impact, improve the recovery time and reduce costs.
In every case, reducing the risk and costs of a data breach requires a plan, I consider a plan for a data breach to be as important as the plan for a fire alarm.
In summary if you’re considering your data risk, IT security or a cyber insurance policy and you’d like me to assist, please feel welcome to get in touch.
Why choose to work with Sytec?
- We focus on reducing risk
- Our work and checks are separated independent processes
- We consider compliance and security checks as the default
- You will know which engineer has access and when they took action
- You will have phone, email and face to face access to security certified engineers
Sytec provides IT networking, security, audit, consulting, and support services to a broad range of businesses. Based in Salisbury, engineers are available to respond on a same day basis to ad-hoc or emergency requests, and within minutes for customers with a prepaid pool of consultative support.
We enjoy representing many other IT companies who require responsive field engineers, sytec.co.uk/subcontract for more about our coverage and response.