We all know (or should know) the importance of cybersecurity in protecting your business. And whether you are doing enough to protect your business, or not, it’s something that should be under constant review, whether you a sole trader, SME owner or board member.
But sometimes, despite all the security measures in place, things can go wrong. Even the best employee (or yourself), educated in cybersecurity risks, can click on a dodgy link, especially when threats are getting harder to spot and we are all busy just trying to make a living. That momentary lack of concentration could have dire consequences.
And when that happens, rather than if, a good cyber insurance policy should protect you from the worse parts of the breach or attack. Disclaimer: I don’t work for an insurance company, nor sell or recommend any one product. This article is about how you can make the right choices.
Summary:
Cyber insurance can be included either in your existing overall business insurance policy, or available as a standalone product from many insurance firms. If you’re unsure whether your policy covers cybersecurity issues, make sure you check.
However, before you assume that you’re covered and can now relax, there are some facts that you should be aware of. This may well mean you’ll need to check your policy(s), especially the fine print, or research if a different policy would better suit your requirements.
Cyber insurance policies are essential and for good reason. The average cost of a ransomware payment jumped from £3,000 to £150,000 in just a few years, an amount that few small businesses can afford to pay. Even if you have backups, this amount does not include the cost and time of restoring and re-securing your systems, including a forensic analysis of the attack, if needed.
7 things to know
1. All businesses should have it.
Cyber insurance, frankly, should be a no-brainer. You need to protect yourself in the increasingly possible chance that a hack or breach occurs.
“You have a higher chance of getting hit with a cyber incident than of having a fire. You’re already paying for insurance on things less likely to happen, so why not consider cyber insurance?”.
When applying for insurance, don’t hand the form to your IT support company or your IT department to sort out. We can assist with technical information, but it should be the business owners or board that ensure it is completed properly.
2. Your IT provider should have it.
IT providers have become a more frequent target of cyber criminals because they manage the networks and IT infrastructure for dozens or hundreds of small businesses, opening up the door to cause much more damage than targeting one business at a time.
A recent survey by NinjaRMM and Coveware revealed that 35% of IT Support companies did not have cyber insurance when they experienced a cyber incident.
Needless to say, we has excellent cover provided by both Hiscox, our insurer, and also a second level of cover provided as part of our Cyber Essentials certification. But check yours does.
3. Risks are increasing, and therefore so will premiums
We’ve all seen insurance premiums rise for other types of cover, such as flooding. And as with all insurance products, insurers will look at both the risks across their portfolio but also you as an individual business.
The cost of cover will vary depending on your business size/turnover of course, but it will also factor in the current threat level. Additionally, some insurers may stop covering some aspects of a potential claim, for example paying for recovery from an attack, but refusing to pay a ransom.
Either expect premiums to rise, cover levels to drop, or both. You can mitigate this by checking the policy wording carefully, but also entering into a conversation with your insurer. Both exclusions and the cost of your policy could well be reduced by some action in advance on your part, such as ensuring you have 2-Factor-Authentication rolled out business-wide, or by becoming Cyber Essentials Certified yourself.
4. Make the right choices and follow instructions
In the event of a cyber-attack, your number one priority will be to get the business running again. After all, “Time is money”. But before you demand your IT support restore your systems, have them speak with your insurer in order to validate the recovery plan.
For example, an insurer may require their own cyber-specialist to examine your systems before any restore attempt is made, in order to gather forensic evidence. Apart from treating the attack as a “crime scene”, where evidence must be preserved, knowing how the criminals attacked you will mean a restored system, strengthened with that knowledge, will not suffer the same attack again.
5. Check the policy restrictions
Just as a motor insurance policy would not be valid if your car didn’t have an MOT certificate, cyber insurance policies will have a series of restrictions and they have recently become more onerous.
Early cyber insurance policies were simple, but as risks go up, restrictions and exclusions may prevent you from claiming or have a claim rejected if you aren’t aware of them.
While it is unlikely that a claim would be rejected if a member of staff “slipped up” and clicked on a dodgy link, if it was found their PC didn’t have working anti-virus/anti-malware software, or that a hacked email account didn’t have 2-Factor-Authentication, you could be in trouble. Use the policy restrictions as your template to conform to minimum standards and stick to it – and don’t forget to review it again at each annual renewal.
6. It’s not a silver bullet
You must ensure, even when you have excellent cover, you don’t get blasé about the risks. Even if you are covered financially for an attack, you still do not want the issues and possible reputational damage that could come from a successful attack.
Cyber insurance should strengthen your risk mitigation, not replace it. Just as you wouldn’t leave a candle burning unattended in your home because you have home insurance, you shouldn’t leave your systems unprotected from attack because you have cyber cover.
7. In the event of an attack, work with your insurance provider as well as your IT provider.
As per point 4, your insurer will have a vast array of experts available to help you get through an attack. While your IT provider should probably be your first port of call, your insurer should be the second, and immediately afterwards.
Let your IT provider have your insurance details (in advance, you don’t want an attack to block access to your policy information) and they’ll reach out to your insurer and work with their experts to coordinate the response. If they show little interest, consider that a red flag.
As mentioned, you’ll want your systems back online as quickly as possible, but with your IT support provider working hand in hand with your insurer is both the best way to ensure your systems stay up after recovery, but also that any subsequent claim is paid out.
I’m Darrin Salt, MD of The Technologies Group, a multi-award-winning IT support business based in London and the EU. If you have any questions about cybersecurity, risks or how to secure your business against the rising threat of cybercrime, please do get in touch.
(This article was originally published on our LinkedIn blog: https://www.linkedin.com/pulse/cybersecurity-how-protect-yourself-all-goes-wrong-ttgrp/)