Reducing the cost of cyber insurance

Cyber insurance protects against risks that come with storing and handling data. It covers business liability for data breaches involving customer or employee information, including credit card details, passwords, and personally identifiable information (PII). Cyber insurance claims could arise from either:

• An accidental privacy breach by an employee

• A situation involving hacking, extortion or ransomware

Cyber insurance can cover many financial costs, varying with each provider. Here are some examples of cover:

• Crime investigation

• Loss of income

• Legal costs

• Recovering lost data

• Restoring computer and security systems

• Locating and removing viruses

• Reputation management activities

• Extortion payments

• Third-party claims for damages

• Hiring IT specialists

Insurance companies conduct risk assessments and set premiums accordingly through a combination of factors, including:

• Actuarial analysis – consideration of historical data, industry trends, statistics, and various other factors to determine the likelihood of events occurring and associated costs

• Underwriting – evaluating individual insurance applications to accept, reject, or modify cover. Underwriting involves assessing the applicant’s risk profile considering many factors.

• Historical Losses – analysis of historical claims data to identify which types of claims are more likely and use the frequency and severity to influence the premium

Consequently, reducing insurance premiums is about mitigating risks and demonstrating to insurance providers that effective countermeasures exist. For motor insurance, this could include:

• Using a steering lock – a car is less likely to be stolen with a steering lock while parked and unattended. A car thief will likely move on to the next car without a steering lock.

• Advanced driving test – a certificate holder is less likely to cause an accident. The advanced driving test demonstrates a higher standard of driving than the standard DVLA test. Some insurance providers offer significantly reduced premiums.

Not all insurance providers offer reduced premiums for all types of risk mitigation, so it is still necessary to shop around. Reducing cyber insurance premiums also involves mitigating risks and demonstrating to the providers that your business has adequate controls. In a nutshell:

• Establish robust security controls to reduce the:
  • Likelihood of an incident
  • Severity of an incident
  • Overall risk

• Have the necessary processes and resources to:
  • Recover quickly from security incidents and losses
  • Strengthen controls to prevent reoccurrence

• Have the insurance policy as a backup

When applying for cyber insurance, you should expect to receive a detailed questionnaire from your insurance provider, like one that you may obtain from clients as part of their due diligence process or one that you might give to vendors as part of your due diligence. Also, expect a follow-up meeting with a security expert from the insurance company (or working on their behalf). This audit activity will allow the insurer to decide what cover to offer at a price that reflects the risk.

At the heart of this process is the requirement to establish credibility. A great starting point is to work within a specific framework and obtain third-party certification where available and appropriate to the business. Here is a selection:

• Cyber Essentials and Cyber Essentials Plus

• ISO 27001 Information Security Management Systems

• Payment Card Industry Data Security Standard (PSI DSS)

• National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF)

• National Institute of Technologies (NIST) Cybersecurity Framework (CSF)

• Control Objectives for Information Technology (COBIT) Framework

Obtaining a third-party evaluation of business maturity can add credibility to the current risk posture and provide essential information, such as the next steps in developing maturity and mitigating further risk. Not all insurance providers will recognise all the frameworks and certifications and may use a breakdown of controls when calculating premiums.

Here are some examples of controls demonstrating that your risk management, information security management, and risk posture are under control. These details provide a good starting point for building your case for reducing cyber insurance premiums.

• Implement strong network security, firewalls, and intrusion detection systems. Use strong encryption to protect sensitive data; both in transit and at rest. Deploy end-point protection.

• Employ multi-factor authentication (MFA)

• Regularly update and patch software and systems to address vulnerabilities. Remove deprecated or unsupported software from the estate. Establish vulnerability management practices and remediate weaknesses.

• Conduct regular security audits. Conduct penetration testing. Identify weaknesses, manage remediation, and continuous security improvement.

• Create and enforce clear policies and procedures for information security. Stay up-to-date with emerging threats and update countermeasures accordingly to protect the business.

• Have secure/air-gapped backup copies of data. Regularly test the restore process to make sure you can recover you data if needed.

• Provide security awareness training for employees to recognise and respond to threats. Create a security aware culture within the business. Evolve to the point where the people become the greatest strength in cyber defence.

• Define and document an incident response plan to address and contain threats. Regularly update and conduct tests to demonstrate readiness.

• Establish a 24/7/365 security monitoring regime. If this is cost-prohibitive because of a need to operate multiple shifts, consider partnering or outsourcing the security operations centre to a third party specialising in security monitoring and offering a round-the-clock or follow-the-sun service.

• Regularly assess your risk profile. Implement treatment plans based on the assessments. Identify and prioritise potential vulnerabilities and threats.

• Comply with data protection regulations such as the Data Protection Act the GDPR. Implement data protection measures to safeguard customer and employee information. Maintain a data breach response plan to meet regulatory requirements.

• Assess the security posture of third-party suppliers during the selection process and at periodic intervals to ensure they meet your contractual requirements and security standards.

• Establish a robust risk management framework and proactive measures to prevent security incidents. Continuously improve security posture in response to evolving risks and emerging threats. Update policies and procedures as needed to align with current requirements.

Information Security is a journey, not a destination, and the same applies to reducing cyber insurance premiums. By implementing strong security measures, demonstrating risk management practices, and working with insurance providers, it is feasible to:

• Obtain lower insurance premiums. Keep premiums to a minimum through a commitment to continuous improvement.

• Maintain an adequate level of insurance coverage. Review and adjust the insurance coverage and policy limits as needed to meet the needs of the business.