What is Cyber Insurance?

Cyber Insurance offers* to reduce the cost of a data breach

*requires additional preventative measures

A Cyber Insurance policy is only effective when part of an IT security strategy that includes other forms of data protection which are dedicated to reducing the risk of loss of or damage to information from IT systems.

I describe IT security as ‘the management of perceived risks for specific IT events’, and therefore Cyber Insurance is a valid method to manage and reduce risk.

Specifically, Cyber Insurance covers criminal damage or disruption to data, and in my experience Cyber Insurance policies issued in the UK also include subsequent loss of revenue and funds as well as the liability arising from an ‘IT security event’.

Certification reduces risk

To reduce the cost of Cyber Insurance, prove that you have reduced the risk using formal assessments. The Payment Card Industry Data Security Standard (PCI DSS) or the UK Cyber Essentials certifications are both excellent starting points.

Data regulations force improvement

The regulations, including GDPR and the computer misuse ACT, will certainly continue to evolve and I advocate that strengthened regulation around the management of data improves the supply chain, personal privacy, and raises skills across the broader economy.

The UK Information Commissioner will increasingly exercise their powers in both investigation and enforcement, forcing organisations to better manage the data they retain and process, making data security a commercial differentiator.

Enforcement action, fines, and penalties imposed by regulators are likely to create a leader board effect, which will significantly accelerate digital skills and product maturity such as Cyber Insurance within those countries.

Develop a strategy for managing data risk

A well-designed strategy will include data use policies, IT support, security assessment, formal certification, cyber insurance, legal advice and public relations support.

Only certification is standardised

Other than certification, it would be a mistake to assume these elements are easily compared. Whether you’re considering changing IT support or a new Cyber Insurance policy, it’s vital to check that the provider’s offer, terms and conditions align with your needs.

Mind the gap

If your objective is to improve security, I advocate using a formal ‘IT Risk Assessment’. This must be objective and undertaken by a different team than those who are responsible for the current situation.

An IT risk assessment will help identify assets, threats and appropriate countermeasures; if you’d like me to help with an IT risk assessment, please get in touch.

Choose the cover

As with any insurance, your Cyber Insurance policy will include a list of restrictions and exclusions. It is essential to consider each clause and the effect on the risks that you’re aiming to mitigate.

Importantly, where the IT risks are not covered sufficiently or where unnecessary cover is included, adjusting the policy to better fit is a usually possible. Where that’s not possible introduce other measures using technology or processes.

The policy excess

It is routinely reported that the fees paid to be released from ransomware that encrypts files have been negotiated down to less than £1000, an insurance policy with an excess of £1000 will not pay out.

Specific terms

It is common for organisations that have paid up previously will be targeted again, yet it is usually the case that subsequent breaches from the same group of criminals are specifically excluded and will not be covered.

Reducing cost

In my experience, when a data breach occurs, a high speed of response using a well-rehearsed incident response plan and effective communication will reduce the impact, improve the recovery time and reduce costs.

In every case, reducing the risk and costs of a data breach requires a plan, I consider a plan for a data breach to be as important as the plan for a fire alarm.

In summary if you’re considering your data risk, IT security or a cyber insurance policy and you’d like me to assist, please feel welcome to get in touch.

Why choose to work with Sytec?

• We focus on reducing risk
• Our work and checks are separated independent processes
• We consider compliance and security checks as the default
• You will know which engineer has access and when they took action
• You will have phone, email and face to face access to security certified engineers

About Sytec

Sytec provides IT networking, security, audit, consulting, and support services to a broad range of businesses. Based in Salisbury, engineers are available to respond on a same day basis to ad-hoc or emergency requests, and within minutes for customers with a prepaid pool of consultative support.
We enjoy representing many other IT companies who require responsive field engineers, sytec.co.uk/subcontract for more about our coverage and response.