The UK National Cyber Security Centre (NCSC) published some guidance this summer for organisations of all sizes who are considering purchasing cyber insurance.

The guidance is not intended to be a buyers guide to insurance – rather to enable organisations to decide if cyber insurance could contribute to how they manage their cyber risk. They confirm that to fully understand what insurance policy is right, organisations need to identify the risks they face, looking at cyber security as an integral part of their organisational risks. Good risk management is therefore key.

Questions to ask before you take out cyber insurance 

The guidance includes a number of basic questions that organisations should consider before buying insurance.

Are you already covered? Before purchasing bespoke cyber insurance, the first thing to check is whether you are already covered as part of existing policies, such as business interruption or property insurance. These may provide some level of coverage for cyber-related losses, particularly if they are existing/historic policies. Alternatively, they may specifically exclude certain cyber-related incidents, a trend we understand is increasing with new policies.

What existing cyber security defences do you already have in place? The process of preparing to purchase cyber insurance may in itself be helpful. You may need to gather information about your security controls (technical, procedural and human) to provide to the insurer/broker. You should also identify what requires the most protection (your ‘crown jewels’) and the scenarios that must not happen. You may be able to secure a discount on insurance if you have recognised cyber security defences in place (for example Cyber Essentials) and so it is important your broker is aware of these. In addition, some organisations who achieve Cyber Essentials are provided with cyber liability insurance as part of the certification through the IASME consortium.

How do you bring expertise together to assess a policy? Cyber insurance policies often contain detailed technical information and cyber jargon – it is important that you understand the policy and identify those that can help with this (lawyers, technical experts, HR). If an organisation does not have direct access to technical expertise, their insurance broker, or use an NCSC-assured cyber security consultancy may be able to help.

Do you fully understand the potential impacts of a cyber incident? It is important to understand how a cyber incident will impact the different parts of your organisation. Understanding how your organisation operates, the inter-dependencies between different parts and potentially global nature of a cyber-attack is vital to determine the extent of an incident. For example, ransomware could mean systems in multiple locations are unavailable. (As an aside, the NCSC recently updated its ransomware guidance).

What does the cyber insurance policy cover (or not cover)? It is obviously important to understand, in detail, what the policy covers, and (as importantly) what is excluded. For example, some insurance policies will not cover monies lost through business email compromise fraud. Cyber-attacks are also continually evolving and so an organisation may fall victim to a new attack. Check with your broker if your policy would cover new types of attack. Other questions to ask include:

- whether third party claims for compensation are covered in the event of a cyber attack, or if personal data is lost as a result of a data breach at your organisation;

- what the limits of the policy are, and whether they are appropriate for your organisation;

- what services the insurer provides in the immediate response to an incident to help manage recovery and then improve resilience (as you’ll want to learn from what went wrong if the worst does happen); and 

- whether cyber security services (e.g. consultancy and risk management) are included to help improve your resilience and whether the type of services offered suit your organisation and risk profile.

Does the policy include support during (or after) a cyber security incident? Some policies provide breach response services such as IT forensic services, legal support, PR etc. In our experience, clients will often agree with their insurers when taking out the policy that they can use their preferred advisors in this situation (i.e. add them to the policy), rather than rely on those appointed by the insurer. Most cover responds to the immediate effects of a breach on an organisation - restoring networks systems and data, while aiming to minimise losses from business interruption. Many also cover the defence and settlement of legal claims (covering, for example, legal action from customers or other affected parties in the event of a data breach). Some may even go further – covering cyber-related incidents such as computer-enabled fraud.

What must be in place to claim against (or renew) your cyber insurance policy? As with other insurance policies you need to ensure that your organisation's details (in this case, cyber security details) are accurate and up to date and that your insurer is informed of any changes.