In this piece Mark Hunter, Chief Financial Officer, Red Helix, looks at the growing demand for cyber insurance, which is directly linked to the growth of digital banking, shopping, product distribution, corporate compliance, customer ID verification and more.
Despite often being seen as a new product, cyber insurance dates back to the 1990s, when AIG launched its ‘Internet Security Liability’ in a bid to gain market share. After that, it spent the next couple of decades in a state of relative infancy, often only being included as an addition to other policies. Over recent years, however, that has all changed.
Spurred on by the rapid adoption of digital technologies, increased regulations (such as the introduction of 2018’s GDPR) and a rise in the number and severity of cyber-crimes, the UK cyber insurance market is continuing to grow and evolve. Policies have become more clearly defined, more expensive, and more exclusive in terms of their cover. And as the threat landscape continues to shift, it is highly likely that the cyber insurance market will continue to change with it.
For enterprises considering taking out cyber insurance as an additional safeguard, or for those looking at renewing their policy over the next few years, this means not only being aware of the requirements for cyber insurance now – but also thinking ahead and considering what they may need in the near future.
Current requirements for cyber insurance
The requirements for cyber insurance vary depending on a number of factors, including the industry or the size of an organisation, however there are some universal considerations for those looking to become insured. Not only are these measures that insurers expect to see in place, but they are also critical components of a robust security infrastructure and should be an area of focus for any business not already adhering to them.
Firstly, insurers will be looking at the breadth of cyber awareness training and testing provided by an organisation. This is a critical step in improving security, as human vulnerabilities are responsible the majority of successful breaches, and insurance companies will expect to see training and testing conducted on a regular basis. Secondly, they will assess the strength of an organisation’s email protection. Email is the initial attack vector for most cyber-attacks and the primary channel for threats such as phishing, malware and spam.
Insurers will also evaluate access control mechanisms such as multifactor authentication, password policies and restricted access rights, to determine the security provided by each of these. Additionally, advanced detection and response technologies will be taken into consideration. Endpoint Detection and Response (EDR) and Network Detection and Response (NDR) tools respond in real-time to endpoint events and protect against threats that breach perimeter defences. It therefore stands to reason that insurance companies will value applicants with these tools in place.
While the absence of one or two of these measures might not adversely affect a business’ insurability, they are questions businesses should expect to see as part of their insurance assessment. Focussing attention on strengthening these areas will not only increase a company’s chances of receiving insurance but may also reduce the cost of the premiums on offer. Most importantly, these measures will bolster their defences, reducing the likelihood of a successful attack in the first place.
Prior incident history as an underwriting parameter
The list of requirements for cyber insurance have certainly grown in recent years, but it is by no means extensive. As digitalisation continues to gather pace, the criteria for cyber insurance underwriting are becoming increasingly more stringent, and there is a high probability that additional requirements will be put in place.
One area in which businesses should expect to see insurers paying closer attention to is any previous history of cyber incidents, whether giving rise to claims or not. Businesses need to be prepared for insurers requesting detailed reports on past cyber events and assessing the severity of the incident, the strength of their response and the effectiveness of post-event changes. Those that can provide a strong track record of rapid identification, swift response, efficient remediation and successful changes in the aftermath of an event may see a more favourable attitude toward premium renewal, for instances.
It is important to remember, however, that to provide these reports, companies already need to have put in place the tools to pull these reports together. Security incident and event management (SIEM) tools, and the previously mentioned EDR and NDR, can provide the necessary compliance reports showing any previous events and how they were handled – as well as being important measures in strengthening protection against ever more sophisticated cyber threats.
Proving the strength of the supply chain
Alongside providing reports on incident history, it is expected that insurers will pay further attention to the vulnerabilities posed by weak supply chain security. This follows on from the NCSC issuing new guidance following a rise in supply chain attacks towards the end of last year, and is already becoming a mandate for highly regulated industries including banking and telecommunications.
The likelihood is that this will soon become part of the security assessment for other industries and, as such, is something that all businesses ought to consider. Future underwriters may be expected to delve deep into a company’s supply chain security practices, evaluating the cyber hygiene of their suppliers and assessing their third-party risk management strategies.
Improving supply chain security can take time, so, for organisations considering cyber insurance, it is an area they should start paying more attention to now. This means auditing the security of third parties in their supply chain and implementing strategies to manage any risk.
Using tools like Zero Trust Network Access (ZTNA) to control who can see exactly which parts of the network is a constructive step towards better security in the supply chain – as it effectively curtails both internal and external threats.
The future of cyber insurance
The UK cyber insurance market is evolving and for those wanting to be insured in the future, there are some actions they should consider taking now. Looking at their incident reporting abilities and strengthening the security of their supply chain will not only prepare them for future assessments, but it will also help strengthen their existing security infrastructure.
Additionally, through taking these actions, organisations are more likely to see lower premiums. This is already the case for companies who can demonstrate continuous compliance with information security standards – such as ISO27001 or schemes like cyber essentials – as it means they are less at risk of a successful breach.
Underwriting for cyber insurance is a particularly complex task, owing to its relative youth, the constant fluctuations of the threat landscape and further changes to policies and assessment frameworks will no doubt come into effect. Preparing your organisation now is the best way to ensure you can secure insurance when you need it, as well as controlling and minimising the potential cost.