What should organizations consider if they are to prepare for cyber insurance?
The answer to cyber security woes is insurance, right? Well, not really – so take a deep breath, relax and spend some quality time thinking about insurance and how it might apply to your cyber security situation.
What cyber insurance will not do is stop cyber incidents. What it will do is help you pick up the pieces after a cyber incident and so get your company operational again. But like any insurance, you must have met certain obligations, otherwise no pay-out. But what do your obligations consist of and how will the insurance company decide whether you have met them adequately should you need to claim?
Your obligations are essentially to ensure that your IT estate, including servers, infrastructure and user devices (PCs, laptops, tablets, smartphones, and so on) are operated and maintained to good security practices.
In practical terms, this means that devices and software are maintained at manufacturers’ supported release levels with the most current security patches applied, and that devices, applications and access controls have been configured to ensure secure operation and that the IT governance is to a good and demonstrable standard.
Governance covers policies, procedures, standards and work practices that are maintained in line with good practice and changes in the legal and regulatory environment.
Governance also covers the maintenance of logs, audit trails, system backups and IT Health Check reports, all of which support the notion that security due diligence has been, and is being, maintained. These logs, trails, reports and the availability of backups will be vital input to any investigation carried out by an insurance company should a claim be made on a cyber security policy.
Besides operating the IT estate to good security practices, what else can a company do? Here the recommendation is to get independent verification of the cyber security worthiness of your operation.
ISO27001 certification is one route; an independent report as to the compliance with ISO27001 is another (and generally cheaper) route. But there is also the relatively new Cyber Essentials scheme, which is being heavily promoted by the government as a way of improving the UK’s cyber security.
Two Cyber Essentials (CE) certifications are available. One is the basic Cyber Essentials certification which relies on a company filling out a questionnaire relating to its operation and governance. This questionnaire is then reviewed independently for scheme compliance. This is a low-cost route (currently £300 plus VAT) to a cyber certification.
The second CE certification is Cyber Essential Plus, which is basic CE with the addition of an independent auditor going to a company site to check that the CE questionnaire was factual. An IT Health Check on the IT estate is also part of the Plus certification. This approach is more expensive than the basic CE certification (for a small company, expect something in the low thousands of pounds), but much less expensive than gaining ISO27001.
Gaining a cyber certification, be it ISO27001, Cyber Essentials or Cyber Essentials Plus, should lead to lower insurance premiums, with ISO27001 giving the best premium.
Also check out: Six key factors in cyber insurance