The number of companies in the UK investing in Cyber Insurance cover is rising fast, and is rapidly becoming a necessity for any business. As these policies become more popular, they are also under more and more scrutiny, with not only the number of claims increasing but also the number of disputed or denied pay-outs. With the scope of cyber security being so broad and often misunderstood, underwriters of policies are often working with far less information when valuing premiums compared to other types of insurance policy such as motor or health plans.
So how are these premiums calculated? Currently there are two ways, one based on a percentage of total revenue (the easy way), and the other based on the perceived risk to the business (the not-quite-as-easy way). However, with the latter only taking into account assumed reputational harm and immediate financial implications rather than quantifying actual likelihood of breach, there is little impetus for businesses today to actually improve network security in order to reduce premiums. This is the equivalent to a dangerous driver investing in more comprehensive cover rather than improving their driving, or a heavy smoker buying more health insurance instead of stopping smoking.
The situation is improving though, underwriters are now taking more steps to understand how businesses are approaching network security, to offer better value to securer networks. With such a major step change occurring in the fastest growing insurance sector, how can companies prepare for the increase in scrutiny?
Improving Basic Cyber Security Policy
The first point is probably the most obvious, and many insurers already insist on basic levels of cyber policies being in place. There are multiple guides on how to build these policies, but the basic steps always remain the same. What data needs to be protected at all costs (customer info/valuable IP)? Who can access this and other sensitive data? How are confidential communications and data movements protected? It’s always good to think beyond the mandatory as well, whilst building a cyber policy to the lowest common denominator is the most cost efficient in the short term, it might not be sufficient to your business. Furthermore, the policy needs regular review, the cyber landscape is vastly different today than it was even 1 year ago, so how those risks are approached needs to change too.
Enforcing the Policy
Creating a document to manage cyber risk is all well and good, but it’s all for nothing if that policy is not upheld. The biggest problem most businesses have is knowing when policy has been breached, what is to stop someone with access to sensitive data sending it unencrypted across parts of an unprotected or uncontrolled network? Often, network users will find the easiest method to do their jobs, rather than the most secure, and this results in unforeseen breaches of cyber policy. The best course of action here is to make sure system administrators have visibility of what occurs on a network, and are properly incentivised to investigate anything they find suspicious. Regular testing of a network can also be invaluable in understanding where vulnerabilities lie, and best of all this can be done by internal resource rather than forking out for expensive pen testers.
Training the Users
Often seen as the most vulnerable part of a network, the users themselves need to be trained on how to work according to network security basics. Helping users to understand not just what to do but also why they need to do it can vastly improve how secure the network is as a whole. For example, telling users why USB sticks cannot be used will improve adherence to a no-USB policy. Likewise, training users on why Dropbox should be avoided instead of just a blanket block on Dropbox IPs will likely stop the inevitable workarounds the users will try to find. Basic cyber awareness training can also be cheap and effective, making sure users are aware of phishing emails can radically reduce exposure to ransomware, and will protect them in their personal lives too.
Understanding the Risk
Without understanding how a compromise might occur, you cannot properly protect yourself against them. Things that are often missed when building this picture include uncontrolled parts of a network, should we be responsible if AWS or Office cloud services are breached? What steps can be taken to ensure this data stored outside of the business remains secure? Understanding how the network is accessed externally is also useful for getting a good balance between usability of network assets externally and protection of those same assets from external actors.
Will this Actually Save Money?
Yes. Even going through the above steps on an occasional basis will put a business streets ahead of the average enterprise network. When considering that the insurance market is mostly about keeping premiums cheap for those above the average in the bell curve, massive saving can be made as more and more focus is put onto how data is protected rather than what data is being held.