We’ve had a lot of comments following our recent article advising insurance companies on how to protect themselves against cybercrime. The content clearly touched a nerve with many small business owners.  

Here we’re looking at insurance from the other end of the spectrum – from the perspective of business owners who need to obtain cybersecurity insurance. 

Whether or not your business needs cybersecurity insurance depends on factors like the type of data you handle, your cybersecurity practices, industry regulations, and risk tolerance. However, we would recommend that you think carefully about obtaining it. Any business that has an email address and sends emails to customers and suppliers is handling sensitive data and is therefore a target for a cyberattack. Obviously, it’s crucial to assess your specific situation, including financial readiness for potential cyber incidents, when you’re deciding if cybersecurity insurance is necessary, but please be warned that even businesses with very strong cybersecurity in place can still get hacked. 

Here’s the rub! 

Whilst the necessity for cyber insurance is going up, so too are premiums and the requirements for obtaining it. 

We’re constantly hearing about insurance costs that are on the rise, and businesses struggling to fulfil documentation demands. 

It’s now far more likely that you’ll be asked to give details about your IT Support provision and strategies. 

Insurers now routinely request various pieces of information in order to assess the level of risk associated with insuring a particular business and to determine appropriate coverage and premiums.  

There are several factors relating to IT support and strategies that insurance companies ask businesses to evidence when they enquire about cyber insurance.

Cybersecurity Policies and Procedures: Insurers may want to see your company’s cybersecurity policies and procedures, including how you handle data security, access control, incident response, and employee training. They will assess whether you have adequate safeguards in place to protect against cyber threats. 

IT Infrastructure Overview: Provide an overview of your IT infrastructure, including network architecture, hardware, software, and data storage systems. Insurers will want to understand your technology environment to assess potential vulnerabilities. 

Risk Assessment: Businesses are often asked to conduct a comprehensive risk assessment or vulnerability assessment. This includes identifying and assessing potential cybersecurity risks and vulnerabilities within your organisation. 

Incident Response Plan: Share your incident response plan, which outlines the steps your organisation would take in the event of a data breach or cyberattack. Insurers want to ensure you have a plan in place to minimise damage and respond effectively. 

Security Audits and Assessments: Insurers may request recent security audits, penetration test results, or third-party assessments of your cybersecurity situation. This helps them evaluate the effectiveness of your security measures. 

Employee Training and Awareness Programmes: Details about cybersecurity training and awareness programmes for employees are often requested. Insurers want to know if your staff are educated on cybersecurity best practices. 

Data Encryption Practices: Information on how you encrypt sensitive data both at rest and in transit is important. Encryption is a key security measure, and insurers may want to verify that it’s implemented appropriately. 

Backup and Disaster Recovery Plans: Your backup and disaster recovery plans are critical in case of data loss or system downtime. Insurers will want to review these plans to ensure they are robust. 

Patch Management: Explain how you manage software and system updates (patch management). Keeping systems up to date with the latest security patches is essential for mitigating vulnerabilities. 

Security Software and Tools: Share information about the security software and tools you use, such as antivirus, firewalls, intrusion detection systems, and endpoint protection. 

History of Past Incidents: Disclose any past cybersecurity incidents, data breaches, or insurance claims related to cybersecurity. Insurers may consider your history when determining coverage and premiums. 

Cybersecurity Budget: Provide insights into your cybersecurity budget and investments. Insurers may want to know that you allocate sufficient resources to protect against cyber threats. 

Compliance with Regulations: If your business is subject to specific industry regulations, provide evidence of compliance as it relates to cybersecurity. 

Accuracy 

It’s essential to work closely with your IT and security teams to gather and present information accurately when applying for cyber insurance. The more transparent and well-documented your cybersecurity practices are, the better your chances of obtaining comprehensive coverage at competitive rates. Insurers use this information to assess risk and tailor insurance policies to meet your specific needs.  

Cyber Essentials Plus 

Another aspect often now requested by insurance companies is the ability to demonstrate compliance with Cyber Essentials Plus – the Government backed scheme set up to help protect against cybercrime.  

Net Primates have held accreditation for a number of years and have seen it become increasingly more complex to achieve, in line with the explosion and development of cybercrime.  

On the positive side, we have heard of discounts being offered for those businesses that do go to the trouble of gaining CE+.  

Should you look to obtain Cyber Essentials Plus? Of course, we’re going to say “yes”. Anything your business can do to protect itself against the growing threat of cyberattack is a plus point in our book. We want your business to grow and thrive – not be crippled by a cyber breach. The fact that it could also save you money, and help you receive important cyber insurance is an added bonus. 

What to do next? 

If you have insurance – great – well done (just make sure you’ve given completely accurate information to the insurance company). If you don’t have it, but feel you should, we are here to help you get your ducks in a row – you’ll then be in the best position to get the right insurance at the right price.