When managing risk there are only 3 options; mitigate, accept or transfer. With the changes to the UK Data Protection Act in 2018, the ability to transfer risk is now limited to insurance.
Due to a significant increase in Cyber-attacks, ransomware increased by 148% in 2021, insurers are becoming more stringent in underwriting the risk.
Just like any insurance, the cost and coverage are dependent on the controls and security measures you have in place. If you are not able to meet these expectations, you may find yourself not being able to obtain insurance or renew an existing policy.
Insurers and brokers are now looking for a lot more information during their due diligence, ahead of any policy being made available.
Before I get into more detail, let me clarify what Cyber Insurance is there to protect;
Cyber Event – this is a malicious action or an accidental event on an organisation’s digital systems, data or technology.
This is then assessed for the impact of such an event;
- Non-physical; compromise of the confidentiality, integrity and/or the availability of digital systems, data and or technology
- Physical; property damage and/or bodily harm and injury.
- Finally, the consequence of an event is reviewed. This can include;
- Loss of income.
- Extortion/ransom demands.
- Fines and penalties.
- Negligence.
- Shareholder litigation.
- 1st party costs (insurance).
- 3rd party liability (if the organisation is sued).
The due diligence process includes a review of 12 key information security controls, while they have been established for several years and considered best practices many organisations have not adopted them.
The controls:
- Multifactor Authentication.
- End Point Detection & Response (EDR).
- Privileged Access Management (PAM).
- Email filtering & web security.
- Patch & Vulnerability Management.
- Cyber Incident Response Planning & testing.
- Cyber security awareness training and phishing testing.
- Hardening Techniques including remote desktop protocol (RDP).
Logging and monitoring. - End-of-life systems replaced or protected.
- Vendor/digital supply chain risk management.
Whether you need insurance or not, ensuring your organisation has the 12 controls in place is the best way to improve your information security posture and resilience.
When combined, the IASME Cyber Essentials Plus and Cyber Assurance Level 2 certifications address these controls, ensuring they are in place, and giving you the ability to demonstrate your compliance with them.