Today’s world is hyperconnected, and year-on-year more and more businesses are relying heavily on technology, digital infrastructure and data and the increasing frequency of cyber-attacks has crystalised the importance of robust cybersecurity protections.
However, even with the best measures and protections in place, hackers can be successful, and protections may fail which can trigger huge financial losses, irreparable damage to reputation and extensive legal liabilities.
In this article we will explore the role of cyber liability insurance in the UK, and its place within your overall cyber and cloud resilience strategy and for organisations who are Cloud-only, how it can help reduce your overall Cloud risk.
What is Cyber liability insurance?
This form of insurance is primarily designed to protect your business against the financial impact of a damaging cyber incident. Its scope is broad and covers everything from expenses related to ransomware extortion, security failures, cyber recovery and even educational items around Cyber safety and security.
Most Cyber Liability Insurance providers in the UK offer policies which cover:
1. First-party coverage: This takes care of costs related to forensic activities, data breach alerts, credit monitoring for impacted individuals and even the PR and efforts around how you manage the reputational damage.
2. Third-party coverage: This component protects you from being sued and addresses the liabilities around affected third-parties i.e., legal costs, settlements and judgements.
3. Business interruption coverage: This addresses loss of income and any additional expenses which arise as a result of disruption to your business.
Cyber liability insurance protections
The financial impact and long-term implications of a cyberbreach can be devasting for any organisation, especially for small and medium-sized businesses who may not employ cyber security managed services and therefore lack the skills, the resources and manpower to recover their environments safely and securely. Most policies in the UK will therefore cover the costs linked with cyber incident response and recovery. It protects businesses from being bearing the financial brunt and the potential legal consequences, fines from regulatory bodies and overall reputational damage.
With the advent of regulations around data protection and governance (GDPR), organisations are legally obliged to take every step to protect sensitive customer data and failing to comply often means a big fine and severe legal penalties. A comprehensive policy arms you with the tools to meet these obligations and in the worst-case scenario, will help you cover any costs arising from a court case, fines from regulatory bodies and any payments as a result of a settlement with affected parties.
From an incident response perspective, a cyber attack requires a swift and robust incident response measures to slow down the attack and/ or mitigate the damage. A good policy will not only provide financial power, but also access to best-in-class experienced cyber incident response experts who can help you contain the breach, investigate how the threat actors got in but also recover your broader business operations as quickly as possible.
News of a cyber attack can be devastating to your business’ reputation and have a negative impact on your brand – damaging customer trust in the process. Cyber liability insurance often includes PR and legal support to help organisations carefully manage their reputational fallout effectively. Depending on the policy, this can include crisis management and communication response, alerting impacted customers and suppliers, dealing with media coverage and helping with the process of dealing with key internal stakeholders.
From a supplier and vendor management perspective, an appropriate cyber policy will be key in a scenario where you may need to extend this coverage to cover breaches which originate from your software supply chain or occur as a result of a vendor’s negligence and poor security posture. This means your business receives ‘360 protection’ regardless of the origins of the breach.
Treat cyber insurance as a key tool in your overall risk management strategy. Investing in this means you have 360 cover from financial protection, legal protection, cyber incident response support, public relations guidance and mitigation against vendor and software supply chain vulnerabilities. An effective cyber liability policy ensures you ‘transfer the risk’ of a cyberbreach to your insurance provider.
In today’s world, cyber-attacks are not a matter of "if" but "when," and a comprehensive policy offers your business the additional protection and safeguarding it needs in this new and ever-evolving digital era.
A framework for assessing cyber insurance providers in the UK
How do you identify and select the right cyber insurance provider in the UK? And how do you ensure you sign up to a policy which provides you the appropriate protections against financial and operational risks associated with a cyber-attack.
Start by reviewing all coverage options and think about how they align with the specific needs of your business. Review areas such as risks covered, any limits around coverage, and any deductibles and exclusions. Engage your legal experts to review the language used in the policy and the terms outlined.
Evaluate the expertise, experience and tenure of the provider – seek out providers with proven track-records in handling claims and assisting businesses during times of a major cyber crisis. Challenge and probe their understanding around cyber risks, ask about access to qualified resources and their ability to deploy support to an organisation of your size in the event of an incident.
Look out for any offers around risk assessment exercises and vulnerability identification reviews to help you proactively identify and mitigate potential cyber risks. Do they offer any ‘pre-breach’ services such as penetration testing, cyber safety and security awareness programmes and incident response planning to improve your overall cyber posture.
Think about how they evaluate and handle claims. What does the process look like and are there any service level agreements around response times including deploying cyber recovery professionals and forensics experts onsite. Consider asking for references to further validate the providers reputation, check out any online reviews, and look for how they settled claims in the past, their availability and overall responsiveness.
The requirements you need to meet as a business
Cyber Insurance providers today now require a number of things before your business can be approved for a policy that can protect you from the most damaging cyber-attacks.
A key part of these requirements includes a detailed risk assessment of your overall cybersecurity posture. Understanding your risk position is key – consider the state and maturity of your networks, security and access controls, data protection, incident response strategy and training programmes. Some insurance providers in the UK may now require they carry out their own audit before any policy can be approved.
From a security controls perspective, you will likely need to evidence you have appropriate identity and access management controls, the right antivirus and malware software, encryption and regular software patching. Proving this will go a long way in improving your overall eligibility for comprehensive cover.
Documenting your incident response strategy and tactical plans in the event of the severest cyber incident is critical. It demonstrates a level of preparedness which only accelerates your chances of qualifying for the right policy. Providers want evidence which demonstrates there is a tried and tested end to end detect, response and containment approach in place which can be act as your core playbook to help you navigate high severity breach events.
The internal corporate policies which govern your data protection measures will likely be scrutinised by providers and typically businesses of all sizes will be required to demonstrate these policies and practices are in place and well maintained. This includes but is not limited to classification levels, retention policies, data disposal and end to end access control. Evidencing you are compliant with GDPR regulations will go a long way in speeding up the approval process.
Compare multiple providers and base your final decision on how it aligns with your business’ specific needs and overall risk profile and don’t hesitate to engage your legal, IT and risk experts to ensure a thorough evaluation of potential providers.
Alternatively, reach out to our team of cyber experts for a free consultation on how you select the most appropriate provider for your business.