Only 43% of businesses today hold an insurance policy that covers cyber risks. That’s according to the latest Government Cyber Security Breaches Survey.
Yet, if you read any cybercrime statistics, cyberattacks are only going one way – and that’s up. Cybersecurity Ventures claim that global cybercrime costs will grow 15% year on year, reaching $10.5 trillion USD annually by 2025. This is up from $3 trillion USD in 2015.
The costs of an attack to an organisation could be multi-faceted, including loss of customers and sales, reputational damage and even liability for damages stemming from the theft of third-party data. However, with a cyber liability insurance policy in place, then your business can be protected against such risks including those related to cyber-terrorism.
There are instances though where businesses can either be denied cyber insurance or refused a cyber insurance pay out following a breach. One of the most recent court rulings over a cyber insurance claim involved EMOI Services, an Ohio-based company selling software for scheduling appointments, medical billing, and record keeping.
Following a ransomware attack upon its computer system, resulting in a $35,000 ransom being demanded, which the company paid, the insurance claim was then refused by Owners Insurance Co on the grounds that the attack had no “direct physical loss to media”, which is covered by the policy. EMOI Services went on to sue Owners Insurance Co, but late last year the court ruled in favour of the insurance company.
So, how can you reduce the risk of being denied cyber insurance?
1. Preventative measures
Cyber insurance firms want clear evidence that your company has robust protective cybersecurity measures in place, such as anti-spyware and anti-virus software, to intrusion detection and response systems. Failing to demonstrate that adequate security measures are in place, either provided inhouse or by a third-party IT managed service provider (MSP), means the business is extremely vulnerable to any type of attack and therefore, uninsurable.
2. Demonstrate effectiveness of cyber security systems
Your business might have a strong security posture and follow a strict set of preventative protocols, however, the tricky part is demonstrating this to the insurance agency. They will want to be convinced to limit their risk of paying out hefty claims. As a result, insurance companies will require evidence of how the organisation is protecting its own networks, this can be difficult for non-technical companies to prove given the complexity of cyber-attacks and the ever-changing way in which they are targeting computer systems. If you use a third- party IT supplier or MSP, then call on them for help.
3. Supply chain
Nowadays cybersecurity goes beyond just protecting your own network. An organisation’s supply chain security will also be considered as part of a cyber insurance policy, especially as supply chain attacks have increased in frequency and severity. Reports describe these types of attacks as a ‘hacker’s playground’, giving them access a potential chain of victims. Due to the interconnectivity of organisations, attackers are now targeting third-parties, whether that’s partners and providers or suppliers, to gain access to organisations’ networks and data. Insurers will therefore review the cybersecurity measures of your supply chain partners and whether they have the same level of security as your own.
4. Cybersecurity awareness
Your company is only as secure as your weakest link and this could be among your own workforce as well as your supply chain. According to a recent IBM study, 95% of cybersecurity breaches are as a result of human error. So it doesn’t matter how secure your cybersecurity posture is if your staff are vulnerable to the social engineering tricks of a hacker such as a fraudulent email or a malicious link that then downloads malware onto their machine.
Demonstrate to the insurance firm that your workforce receives regular, comprehensive cyber awareness training to prevent attacks, this will help reassure them further that you’re taking every possible step to keep your business cybersecure.
5. Cyber Essentials
As a minimum requirement, many insurance companies are now requiring that an organisation holds a Cyber Essentials accreditation, a UK government backed certification scheme designed to show that an organisation has a minimum level of protection in cybersecurity through annual assessments.
It prevents around 80% of attacks by covering areas such as software updates, firewalls access controls and malware protection, demonstrates supply chain security and helps companies to win new business, especially within Government and public sector where it is often compulsory for suppliers to hold certification.
However, only 6% of businesses in the UK hold Cyber Essentials certification according to the Government Cyber Security Breaches Survey. This is likely due to the intensive time taken and resource required to gain the accreditation.
For further advice on how we can help your business with Cyber Essentials and cyber insurance, contact the BOM IT Solutions team today on 0800 038 7222 or email sales@bom.co.uk.