Vanessa Leemans

The UK government’s National Cyber Security Centre (NCSC) has issued new guidance for businesses considering cyber insurance. It’s the first time the NCSC has provided such advice and reflects the growing importance that cyber insurance can play in protecting a business from a cyber-attack.

It’s a welcome move considering that many mid-market organisations do not yet buy cyber insurance, which is particularly important in protecting their intangible information assets. Typically, a cyber insurance policy includes coverage for network security liability, privacy liability, data breach response and crisis management, network business interruption, data recovery and restoration, and cyber extortion.

Insurance and asset mismatch

According to the 2020 Aon-Ponemon Global Report, only 15% of potential loss to intangible information assets are covered by insurance, while 61% of potential loss to tangible physical assets are insured. This mismatch exists despite a recognition that organisations value their information assets more than their tangible assets of property, plant and equipment (PPE).

It’s an uninsured exposure that organisations cannot afford given the increasing likelihood of falling victim to cyber attacks. Mid-market organisations have seen a marked increase in the use of ransomware by cyber criminals. During the Covid-19 Pandemic period, there has been an even greater acceleration in the last six months as hackers look to exploit new vulnerabilities in company networks, stemming from an increase in remote working and employee susceptibility to tactics such as phishing.

Improving cyber insurance understanding

One reason for the historically low take-up of cyber insurance is a lack of awareness of cyber risk. Many organisations think they have cyber cover built into their property and liability policies, whereas that is not always the case. Moreover, as the traditional property and liability markets continue to review and retract elements of cyber coverage, this makes consideration of a standalone cyber insurance policy even more necessary.

This is where the National Cyber Security Centre’s (NCSC) new cyber insurance guidance will prove to be invaluable. This guidance lists seven questions for organisations to consider when buying cyber insurance. The first of these asks, “what existing cyber security defences do you already have in place?” This is a key step for organisations to address when reviewing cyber insurance. As the NCSC says, “cover cannot prevent a breach [from] happening so it is vital for organisations to ensure there are fundamental cyber security defences in place.” This means taking appropriate measures to mitigate cyber risks such as those listed in the IASME Consortium’s Cyber Essentials scheme – for example, installing a firewall and controlling who has access to your data and services. These are low cost, but highly effective ways of reducing an organisation’s cyber exposure.

The NCSC guidance continues to ask what the cyber insurance policy will cover and what services are offered. Ensuring that a cyber insurance policy has appropriate limits to cover the costs that may arise from network business interruption, for example, is important. For many organisations, the real benefit is the access to service providers by a standalone cyber insurance policy that will offer help in order to respond to an incident and successfully manage recovery.

Making the right decision

Cyber insurance plays a central role in how an organisation manages and mitigates cyber risk. It may protect an organisation’s balance sheet by not only providing financial indemnification after things have gone wrong, but also offering expert consultancy to improve security and on-the-ground incident response support during a period of crisis.

Aon’s Cyber Secure Solution has been specifically developed for EMEA mid-market organisations providing broad standalone cyber insurance coverage. It is also compliant with NSCS guidance in terms of access to pre-loss prevention and post-loss services, which may help organisations to recover more quickly from cyber losses