The risks of – and the potential fallout from – a cyber-attack is enough to keep any company director awake at night.
The costs of a breach can be huge, costing UK enterprises an average of £4.09 million per breach, according to IBM’s Cost of a Data Breach study.
These figures are not surprising when you consider lost productivity and revenue, response, forensics, recovery, communications, data breach fines, and various other costs. Even a company with 100 employees can be looking at hundreds of thousands of pounds, just to get back to where they were before an event, such as from a ransomware attack.
Together with the significant reputational damage that can follow a data breach, the level of risk and likelihood means that most organisations have some form of cyber insurance to cover these substantial costs.
But as the number of cyber insurance pay outs grows, insurers are looking at ways to not pay out, or at least not for the full amount of damage. This is understandable in cases where a board has been negligent and not managed the risks, just as a motor insurer would not pay out where a driver had failed to get an MOT or put road legal tyres on their car.
Your responsibility to control risk
All cyber insurance providers expect policy holders to take responsibility for evaluating and mitigating risks.
Insurers expect best-practice cyber security controls to be in place, which typically includes the ‘absolute basics’ such as Cyber Essentials. This also means keeping on top of security operations year-round, not just a tidy up and certification every year or so.
If the basics are not in place at the time of a breach, then many insurers will not pay out. On top of this, the ICO and other regulators are likely to hand out significant fines. These amounts aren’t insignificant, as the ICO alone can hand out a data breach fine of £17.5 million, or 4% of an organisation’s total annual worldwide turnover, whichever is higher.
Cyber security basics should be viewed as seriously as other risk controls in your business, such as a fire alarm that is regularly serviced and tested.
Common cyber security measures
For a cyber liability policy to pay out in a breach scenario you need to check the small print. However, here are common areas that are going to have an impact on any claim:
Patches and Updates
- Firewall Protection – IT equipment must be protected from unauthorised access by a suitable firewall. The firewall needs security updates and other updates at least once a month, if not automatically. An insurer will almost certainly not pay out if the firewall is not up to date at the time of a loss.
- Software updates –It’s best practice to patch and update software and it is a standard cyber insurance term to mitigate known vulnerabilities. Important updates to firmware, operating systems, and other software must usually be installed within 14 days of being released by the vendor or provider. Some insurers will insist on seven days, which can be a tough clause to manage in some environments, so keep an eye out for this.
- Tablets, phones, and other devices – It’s important that tablets, phones, and any other devices with access to your network are updated or kept off the corporate network. Your organisation is responsible for who and what connects to its network. If your network is breached from an insecure work or personal device, then your insurance could be void.
- Outdated operating systems – Outdated operating systems and software that is no longer supported by the vendor in terms of security updates is going to invalidate insurance if they are breached.
Users and Passwords
- Change default passwords – If you have default passwords or use the password that came with an IT device when it was purchased, then your policy will be invalid. There are large databases on the internet that list all these default passwords, and these are always a go-to for hackers and automated attacks.
- Individual ID and password –It can be common for some users to share logins and passwords to certain systems, and for conference room PCs to have shared logins. These shared credentials are unacceptable as they are a common cause of a breach. It also makes the source of a breach difficult to trace.
- Limiting access – System users should only have access to what they need, particularly logon credentials with enhanced security rights, such as administrator rights. It’s particularly important that users don’t have administrator rights on the device they log in to as that’s an easy way for an attacker, who may be an employee, to gain control of a machine and then the wider network and systems. Organisations will need to prove that administrator accounts are controlled and that passwords are changed regularly.
- Work laptops should be controlled – Only authorised users should be able to use work devices. This will need to be controlled via policy and login restrictions. An employee’s child downloading and installing a game with ransomware on to a work device could lead to the insurance being invalidated.
Cyber insurance policies will always cover the backup and protection of data. They will typically include:
- Two copies of backup data at different locations – It’s standard to expect two separate copies of backup data to be stored. One can be local to the IT environment, but another should be taken or backed up off-site, such as on a cloud backup platform. It’s increasingly common for insurers to ensure that backup data is air-gapped, so if someone gains access to your systems, they cannot get access to the backups. It’s common for ransomware attacks to seek and encrypt backups quickly.
- Frequency of data backup –It’s usual to backup data daily, if not continually, in most modern IT environments. If your data is critical, then an insurer would want to know why you have not backed-up regularly.
- Backup checks – It’s critical that you regularly evaluate your backups to make sure everything that needs to be is backed up. It’s even more critical to ensure that your backups are working as expected. Many systems will send automatic alerts, but it’s still worth doing a manual check and restore every now and again.
- Virus Protection –Cyber insurance terms typically state that anti-virus software should be in full and effective operation at the time of a loss. It should also be noted that many insurers are now asking that businesses have at least EDR (Endpoint Detection and Response), which is a typically more advanced antivirus solution, supported by a specialist organisation. In fact, it’s generally considered a security basic now, as antivirus was 20+ years ago.
Cyber insurance will not pay out if you are aware of, or ought to have reasonably known about, a pre-existing issue, prior to the cyber insurance being taken out. This is particularly important if you’ve had security audits undertaken in the past but not dealt with any issues highlighted. Too often organisations know they have issues but still take out insurance as a way of mitigating spend on security controls. This is a bad idea.
If you’ve been breached before it will impact your insurance, as there could always be something waiting to deploy at a particular time, or a hole left in the environment. You must declare if you have had a breach, usually over the last three years.
What can reduce premiums?
There are key areas that can make a real difference to your cyber insurance premiums and your security posture, such as:
- Multifactor authentication, particularly for remote access and administration accounts
- Privileged Access Management (PAM)
- Endpoint Detection and Response (EDR)
- Secured, tested and encrypted backups
- Email filtering and web security
- Patch and vulnerability management
- Cyber incident response planning and testing
- Cyber security awareness testing and phishing testing
- Security Information and event management solutions
- Vendor and supply-chain risk management
All the above are sensible security controls that should already be in place in organisations of all sizes.