Cyber insurance guidance

This document is intended for organizations, regardless of size, who are contemplating the purchase of cyber insurance.

The focus here is not to serve as a complete guide for cyber insurance buyers, but rather to highlight the key cybersecurity considerations associated with cyber insurance. For those looking into cyber insurance options, the following questions may assist in structuring your discussions. While the guidance primarily addresses standalone cyber insurance policies, many queries could also be applicable to cyber insurance offered within other insurance products.

In an era characterized by diverse and ever-evolving cyber threats, cyber insurance can play a crucial role in helping your organization recover should something go awry related to cybersecurity. Addressing cyber incidents (such as ransomware attacks or data breaches) often necessitates specialized technical expertise. Beyond minimizing operational disruption and offering financial security during an incident, cyber insurance may also assist in navigating legal and regulatory matters that arise after a breach.

However, before considering cyber insurance, it’s vital to bolster your organization’s defenses with fundamental cybersecurity measures, ideally those certified by Cyber Essentials or Cyber Essentials Plus.

Acquiring an insurance policy may necessitate providing details about your security controls, which can encompass technical, procedural, and human elements. Collecting this information might involve contributions from various individuals within your organization or third-party providers (for instance, IT specialists).

It’s essential to clearly identify what aspects of your organization require the most protection (your ‘crown jewels’) and determine any scenarios that should not occur. Refrain from merely adhering to the minimum cybersecurity standards proposed by an insurer, as these may fall short of safeguarding your organization’s vital interests. To assist with this process, the NCSC has released additional guidance on understanding and managing cyber risk.

Certain insurers provide discounts for organizations with recognized cybersecurity safeguards, such as those certified by Cyber Essentials or Cyber Essentials Plus. It’s advisable to inform your broker of these certifications. Completing such programs not only potentially reduces your premiums but also communicates to clients, partners, and suppliers that your organization prioritizes cybersecurity, making it wise to consider even if you’re not currently pursuing cyber insurance.

Some organizations that achieve Cyber Essentials certification may access cyber liability insurance through the IASME Consortium. This kind of insurance may not suit all organizations, thus the questions in this guide remain relevant to ensure any offered cyber insurance aligns with your requirements. For inquiries about this type of coverage, refer to the information from IASME.

Cyber insurance policies frequently include extensive technical information that can be laden with cybersecurity terminology. If you find the policy difficult to understand, consider identifying colleagues within your organization who can provide assistance. This may involve individuals who:

• manage contracts (e.g., lawyers or commercial managers)
• oversee IT and security systems (e.g., technical experts)
• are responsible for crafting organizational policies and procedures (e.g., human resources)

If accessing technical expertise directly is problematic, you might consider enlisting the help of a NCSC-assured cyber security consultancy. For smaller organizations, your broker can offer advice on evaluating potential policies.

A cyber incident can affect a business in numerous ways. For instance, ransomware might render systems or devices inoperable, or lead to data loss (including customer data) due to malware. Developing a thorough understanding of the potential impacts and their repercussions on your organization is crucial. This includes assessing the financial ramifications of business interruptions and the costs associated with response and recovery. Implementing proactive measures (like ensuring backups are stored separately from your network, or in a dedicated cloud service) may help mitigate the effects of ransomware attacks.

Unlike incidents such as fire or theft that may be confined to a specific area, cyber incidents frequently aren’t limited to a singular location. Grasping how your organization operates and the interdependencies among various parts is vital for assessing the extent of an incident, which can have worldwide repercussions.

Prior to acquiring coverage, it’s essential to comprehend the importance of your organization’s data, systems, and devices to its operations in order to establish an appropriate level of insurance.

Make sure to thoroughly understand what the policy includes, as well as what it excludes. Certain insurance policies may not cover financial losses resulting from business email compromise fraud, illustrating that a commonplace incident may not be included in standard cyber coverage. If business email compromise is a concern, it’s crucial to verify that your policy provides the necessary coverage.

Keep in mind that cyber threats continuously evolve, and you could be affected by new forms of attacks that didn’t exist when the policy was initiated. Be sure to ask your broker if you’d be covered for any emerging cyber threats that aren’t addressed by your current policy.

Other pertinent questions include:

• Does the cyber insurance policy cover claims from third parties following a cyber attack, or in the event of personal data loss due to a data breach within your organization?
• What are the policy limits, and are they suitable for your organization?
• What immediate assistance does the insurer provide in response to an incident to facilitate recovery and enhance resilience? It’s essential that your organization learns from any adverse events to improve future defenses.

Some insurers provide valuable resources during or right after a cyber incident, like IT forensic services, legal advice, or public relations assistance. They may facilitate connections with a Cyber Incident Response (CIR) organization or their in-house cyber incident response teams. Additionally, the NCSC’s Incident Management guidance can be beneficial for planning, developing, and sustaining an effective cyber incident response capability.

Typically, coverage addresses immediate organizational impacts by striving to restore network systems and data as quickly as possible, reducing losses from business interruptions. In the case of data breaches, legal actions from customers or other impacted parties may arise. Defense and resolution of these claims are usually covered. Certain cyber insurance policies may offer broader protections, including against computer-enabled fraud.

The NCSC website offers a wealth of detailed cyber security advice and guidance:

Cyber Essentials
Provides defense strategies against the most prevalent cyber threats and demonstrates your commitment to cybersecurity.

Small Business Guide
Offers strategies for enhancing cybersecurity within your organization efficiently and cost-effectively.

Small Business Guide: Response and Recovery
Advises small to medium-sized organizations on preparing their incident responses and recovery strategies.

Board Toolkit
A collection of resources aimed at fostering essential cybersecurity discussions between board members and technical experts.

10 Steps to Cyber Security
In-depth guidance for larger organizations on protecting themselves online.

Cyber Assessment Framework
Offers guidance for organizations responsible for critical services, including those subject to cyber regulation or managing public safety risks.

Exercise in a Box
A free online tool that helps organizations evaluate their resilience to cyber attacks in a controlled environment.

NCSC’s Incident Management guidance
Insight on detecting, responding to, and resolving cyber incidents effectively.

Cyber Incident Response (CIR) certified companies
Networks of certified companies available to assist significant organizations facing targeted cyber threats.

Mitigating Ransomware and Malware Attacks
Strategies for defending against these types of cyber threats.