WIREDGOV

New guidance highlights the 7 cyber security questions organisations should be asking if they are considering purchasing cyber insurance.

• New cyber insurance guidance launched to help organisations considering cover
• National Cyber Security Centre highlights seven key cyber security questions for businesses to address
• Businesses urged to consider guidance carefully when thinking about taking out cyber insurance

BUSINESSES have today been given access to the National Cyber Security Centre’s first-ever advice on taking out cyber insurance.

The new cyber insurance guidance published online today urges businesses to consider seven key questions to help them make informed decisions about cover.

The cyber insurance guidance has been produced by the NCSC – a part of GCHQ – in consultation with a range of major stakeholders and industry partners, after calls for expert technical advice on the growing cyber insurance market.

The advice encourages organisations of all sizes to think about how insurance might help in the wake of a cyber attack and contribute to existing risk management strategies. Questions range from what levels of defence are already in place to whether the insurance covers the aftermath of an incident.

Sarah Lyons, NCSC Deputy Director for Economy and Society Engagement, said:

“Businesses rightly want to be as informed as possible before they invest, but when it comes to cyber insurance there simply hasn’t been enough information up to now.

“That’s why it’s so important for the NCSC as the UK’s leading cyber authority to offer our support by providing some clarity on the key issues to consider to ensure cyber security.

“Cyber insurance may not be right for everyone and it can never replace basic good security practice, but I would urge businesses to consider our guidance to help make the decision that’s right for them.”

A spokesperson for the British Insurance Brokers’ Association (BIBA) said:

“The British Insurance Brokers’ Association welcomes this guidance for businesses. This guide clearly explains how good cyber security and suitable insurance go hand in hand.

“Insurance brokers can provide support and advice to firms looking for cover and in turn businesses benefit from reducing the impact of disruption caused by a cyber-attack.”

A spokesperson for the Association of British Insurers (ABI) said:

“Being a victim of cyber crime can have a devastating impact on any business, whatever its size, with SMEs especially vulnerable. Nearly a half of UK firms reported a cyber attack over the last year, but despite this take-up of cyber insurance by businesses remains low.

“This NCSC guide reinforces just how wide-ranging and serious the impact of a cyber attack can be, and why it is important to manage your cyber risk and put cyber security measures in place.”

Digital Infrastructure Minister Matt Warman said:

"It is vital businesses take action to protect themselves and their customers from security risks and cyber insurance can play an important part in robust risk management strategies.

"I encourage firms to consider this guidance and use programmes such as Cyber Essentials to make sure they have fundamental cyber security defences in place."

The new guidance focuses on the cyber security aspects of buying cyber insurance, posing seven questions senior leaders at organisations should be asking themselves:

1. What existing cyber security defences do you already have in place?
2. How do you bring expertise together to assess a policy?
3. Do you fully understand the potential impacts of a cyber incident?
4. What does the cyber insurance policy cover (or not cover)?
5. What cyber security services are included in the policy, and do you need them?
6. Does the policy include support during (or after) a cyber security incident?
7. What must be in place to claim against (or renew) your cyber insurance policy?

Having insurance can help businesses with recovery if they fall victim to a cyber attack by reducing disruption to operations and providing financial protection.

However, cover cannot prevent a breach happening so it is vital for organisations to ensure they have fundamental cyber security defences in place, such as those assessed by the NCSC’s Cyber Essentials scheme.

Cyber Essentials allows UK organisations to assess whether they have the measures in place to protect themselves from the most common cyber threats – and if they do they receive certification from the NCSC, in partnership with IASME Consortium.

Having certification may in some cases even help with getting a discount on cyber insurance, as insurers know you have implemented basic protections.

Organisations can find a range of tailored cyber security advice and guidance on the NCSC website. Topics include mitigating against malware and ransomware attacks and securely managing an increase in home working.