Six Steps to Buying the Best Business Cyber Insurance Cover

By Niall McConachie
Niall McConachie, regional director UK & Ireland at Yubico provides SIX top tips on buying the right cyber insurance package for your business needs

The state of the cyberthreat landscape should always be at the forefront of CISOs’ minds, especially with cyberattacks growing in sophistication and frequency each year. In the race to mitigate the potentially devastating financial and reputational repercussions resulting from an attack, more and more organisations are looking to cyber insurance – either for the first time or for increased liability coverage. However, as premiums become increasingly expensive and applicant requirements become even more stringent, stakeholders must do their homework before approaching a cyber insurance provider to ensure that they are in the best position to negotiate reasonable premiums on a policy that will pay out if the worst happens.

#2 What to consider beforehand

There is no doubt about the importance of cyber insurance, it is vital for ensuring business continuity and can also provide some peace of mind. However, insurance policies only offer protection after an attack to recuperate financial losses, they do not provide the initial security measures needed to prevent an attack from happening at the start. 

In general, insurance policies are designed with the idea that cybersecurity breaches are rare occurrences and should only pay out in the most devastating circumstances. However, in the last year over 80% of businesses in the UK have faced at least one cyberattack. As cyberattacks have become more frequent and volatile, insurance companies have had to increase their premiums to compensate for the high volumes of customer policy pay-outs – with insurance pricing having already increased by 20% so far this year in the UK. 

When applying for a cyber insurance policy, the applicants that can prove that they have solid security practices in place will be offered a lower premium than those that cannot. This is because they are less likely to then make a claim. Therefore, organisations looking to take out a policy must first take into consideration these six key factors to ensure that the chances of a cyberattack occurring are as low as possible. 

#2 Secure remote workers

With so many employees now working remotely, either on a permanent or hybrid basis, the number of attack vectors has increased as a result of the decentralisation of security. This has not gone unnoticed by cyber insurers. With the level of sophistication cybercriminals are now capable of, hackers are not just breaking in, they are in fact logging on. Indeed, stolen credentials are the initial cause of 80 per cent of successful cybersecurity breaches. Therefore, it is not enough to just focus on data protection, web proxies, and firewalls. Robust multi-factor authentication (MFA) is an absolute must for remote workers. 

#2 Meet the minimum requirements 

Most cyber insurance quotes will include a cyber risk vulnerability report and assess the applicant for any security gaps or other causes for concern. As international governments continue to implement further cybersecurity mandates, simple passwords and usernames will no longer be enough to meet the new de facto industry standards or the minimum requirements set by cyber insurers. In the last, meeting the minimum applicant requirements could be as simple as a signature from the CISO confirming that standards were being adhered to. However, this is no longer the case and insurance companies require a much more thorough due diligence process – especially for high-liability or high-risk policies. 

#3 Understand the changes to insurance polices

The truth is that insurance companies stay in business by not paying out large sums, and by not paying out at all when they don’t have to. To ensure that the insurance provider pays out, it is important to carefully document all losses and downtime from Day 1 of a breach or any other security event. 

To try to reduce their losses, insurance companies often divide policy protected items into separate categories – including hardware and system replacements, identity protection, losses due to downtime, and ransomware pay-outs. In the past, these may all have been grouped together into one bundle for customers. But now, it is much more likely that these categories will be split up. Therefore, insurance policies are more complex and require agencies to search for reinsurers to spread the risk. 

#4 Conduct a thorough cybersecurity review 

The Risk Management Framework by the National Institute of Standards and Technology (NIST) is the most trusted and freely available resource to turn to when looking for guidance on what an internal review should consist of. According to their guidelines, risk assessments should be regularly scheduled to assess both internal and external threats. The process should include a comprehensive evaluation of all user permissions, especially critical staff, and administrators. It is crucial to determine what the most important information is and to prioritise cybersecurity efforts on the most likely security breach cases.

The minimum objective when performing a full-scale security review should be to start the process of implementing strong MFA for all users. Presenting detailed findings and information following a thorough cybersecurity review will put organisations in a more favourable position to negotiate premium coverage rates.

#5 Check for quick initiatives to implement

If cyber insurance is something that is immediately required, organisations may not have enough time to wait for a complete round of security upgrades beforehand. Instead, organisations should enquire about the impact that implementing quick initiatives could have on their profile. These include increased employee training sessions, cybersecurity practices, or hardware-based authentication.

#6 Confirm what is covered

Generic policies should be avoided as individual insurance firms will have a list of likely scenarios of how an attack will occur and particular threat vectors to be aware of. The more specific stakeholders can be on which security vulnerabilities fall under covered attacks, the better. If possible, enlisting assistance from a suitable legal advisor with at least some cyber insurance experience can also be helpful.

Applicants need to review proposed insurance policies with the same level of scrutiny insurers may have when reviewing potential customers. It is important for new applicants to follow current best practices, ensure their most valuable assets are covered, and have a full understanding of what an insurance policy may entail before signing the agreement. Only then can organisations make an informed decision of what kind of cyber insurance policy is right for them.

About the author: Niall McConachie is the regional director UK & Ireland at Yubico. He has over 20 years experience in the technology and data industry. Yubico specialises strong authentication, providing superior security with unmatched ease-of-use.


Featured Articles

Allianz Announces Partnership With Clearspeed

Emerging scams like moped fraud and shallow fakes pose new challenges to insurers, so more sophisticated detection systems are crucial

Milliman Arius: Reserve Analysis with an End-to-End Solution

Insurers face risks and errors with current reserve analysis methods – and Arius provides the answer

Allstate: BCG Partner Harnesses Gen AI to Transform CX

Allstate and BCG are harnessing Gen AI via a new model to better understand customer needs and improve overall experiences within the insurance sector

Comarch Diagnostic Point: Next Gen European Health Insurance


MoneyLIVE Summit 2024: Qover Talks Embedded Insurance


Ansel raises US$20m to combat financial healthcare barriers

Partner Ecosystems