It goes without saying, your organisation must protect itself from cyber threats. If your systems are breached, you can face extensive financial and reputational damage.
Cyber insurance is therefore essential to cover the cost of damages, including the time spent investigating a breach, recovering data, and for lost business.
Given the increasing threat of cyber-attacks, it’s essential to review your cyber insurance policy every year and upgrade if necessary. There’s no doubt that premiums are increasing, the list of exclusions is growing, and claim limits are being trimmed.
The cyber protections you need
Underwriters are raising the bar in terms of the cyber security protections you need to have in place before they’ll be prepared to cover you at an affordable premium.
Here are just a few questions, taken from several application forms, that insurers may ask when you apply for cyber insurance:
- Do you have formal IT policies approved by management?
- What is the target time to deploy critical security patches for servers and workstations?
- Do you classify your information resources according to their criticality and sensitivity?
- Do you store Personally Identifiable Information (PII) on your network, including commercial and marketing, credit card, financial, or healthcare?
- Do you back up your data daily, maintain off site copies, and test the restore process?
- Do you have a disaster recovery plan and test it regularly?
- Have you implemented cyber security controls, including: advanced endpoint protection; application whitelisting; custom threat intelligence; security awareness training; database encryption; Distributed Denial of Service (DDoS) mitigation; Data Loss Prevention (DLP); Domain Name Service (DNS) filtering; Intrusion Detection System (IDS); incident response plan; mobile device encryption; Multi-Factor Authentication (MFA); network penetration testing; network perimeter firewalls; network segmentation; Security Information & Event Management (SIEM); web application firewall; web content filtering?
- Do you provide training on phishing/social engineering scams for all employees involved in transferring funds on behalf of your organisation?
- Before you transfer funds to an account that you haven't paid into before, do you obtain authorisation from the recipient of the funds via an authentication method which is different to the original method used to request the transfer?
When reviewing your policy, you need to be very clear about exactly what’s covered or excluded. Here’s an important (but not exhaustive) list of potential inclusions to use for reference purposes:
Cover for losses that directly affect the organisation
- Cyber Extortion
- GDPR Cyber Liability
- Fraudulent Instruction
- Funds Transfer Fraud
- Invoice Manipulation
- Network Security
- PCI DSS Liability
- Regulatory Coverage
- Telephone Fraud
- Voluntary Shutdown
Cover for losses suffered by others affected by a cyber incident
- Contingent Bodily Injury
- Multimedia Liability
- Privacy Liability
Cover for the costs related to remediation
- Breach Response Costs
- Business Interruption Loss
- Computer Hardware Replacement Cost
- Data Recovery Costs
When purchasing or reviewing your cyber security insurance policy you may find the process overwhelming, and the level of detail required by your insurance company beyond your technical knowledge. If so, we can help make the process much easier by providing the technical information you need.
Please contact us if you’d like help with any technical questions you need to answer prior to obtaining or renewing your cyber security insurance.
Pact IT Solutions