Seven questions you need to ask when buying security insurance

The UK’s National Cyber Security Centre (NCSC) has launched its first-ever advice and best practice guidance on taking out cyber security insurance, highlighting seven key areas that organisations need to consider before committing to a policy.

The package was produced in consultation with a range of stakeholders and industry partners in response to a growing number of calls for expert technical advice on the cyber security insurance market, and encourages organisations of all sizes to think more about how specialist insurance can help them if they suffer a security incident, and its contribution to their overall risk management strategies.

“Businesses rightly want to be as informed as possible before they invest, but when it comes to cyber insurance, there simply hasn’t been enough information up to now,” said Sarah Lyons, NCSC deputy director for economy and society engagement. “That’s why it’s so important for the NCSC, as the UK’s leading cyber authority, to offer our support by providing some clarity on the key issues to consider to ensure cyber security.

“Cyber insurance may not be right for everyone and it can never replace basic good security practice, but I would urge businesses to consider our guidance to help make the decision that’s right for them.”    

The seven questions buyers need to ask themselves are:

• What existing security defences, processes and procedures are you already using?
• How do you bring expertise together to assess whether a policy is right for you?
• Do you understand what the potential impacts of a security incident are?
• What does the policy you are considering cover, or not cover?
• Exactly what security services does your intended policy include, and do you actually need all of them?
• Does the intended policy include support during or after an actual security incident?
• What hoops will you have to jump through in order to claim on, or renew, the intended policy?

The NCSC pointed out that while having appropriate cyber security insurance in place can play a valuable role in helping organisations recover if they suffer a security incident by reducing overall disruption and cost to the business, taking out an insurance policy clearly cannot stop a breach from happening in the first place.

This means organisations must only take out insurance as part of a wider cyber security strategy, and have appropriate, fundamental defences in place. The NCSC also provides guidance and certification on this through its Cyber Essentials programme.

The organisation noted that having cyber security certifications in place could potentially, but not necessarily, reduce your insurance premiums.

A spokesperson for the Association of British Insurers (ABI) said: “Being a victim of cyber crime can have a devastating impact on any business, whatever its size, with SMEs [small and medium-sized enterprises] especially vulnerable. Nearly half of UK firms reported a cyber attack over the last year, but despite this, take-up of cyber insurance by businesses remains low.

“This NCSC guide reinforces just how wide-ranging and serious the impact of a cyber attack can be, and why it is important to manage your cyber risk and put cyber security measures in place.”

Digital minister Matt Warman added: “It is vital that businesses take action to protect themselves and their customers from security risks and cyber insurance can play an important part in robust risk management strategies.

“I encourage firms to consider this guidance and use programmes such as Cyber Essentials to make sure they have fundamental cyber security defences in place.”