Navigating the world of cyber security insurance

Improve your chances of getting cyber security insurance, whilst reducing premiums.

cyber security insurance, safety net

Cyber security is largely a game of balancing risks. Commonly, this covers three well understood business risks: financial, operational and reputational. A cyber-attack can impact all three, often stopping operations and causing reputational damage through this and data loss, both of these impacting immediate and future revenue.

Cyber security is complex, there’s no quick win and organisations can spend millions of pounds and still be at risk or hacked. Cyber insurance helps to reduce the financial impact of a cyber-attack and can support in getting the organisation operating again with incident response, which insurers may include as part of the service.

The state of cyber security insurance

With cyber-attacks becoming more common across all industries, type and size of organisations, cyber insurance has become more complex, harder to get and more expensive. TechTarget reports up to a 100% increase in cyber insurance premiums, year-on-year, driven by ever-increasing ‘loss ratios’ for insurers, up to 72.8% (as SPGlobal report).

Despite this, insurance providers do tend to pay out, Sophos reports that 94% of organisations that have insurance against ransomware receive payment from their insurance provider for ransom payments. However, there are increasingly difficult to follow requirements, such as patching everything within thirty days that if not met, would invalidate a claim, meaning that this number is likely to be much lower today.

As a result of these hard facts, it’s naturally becoming more challenging for organisations to qualify for cyber insurance, with tougher requirements each year. In fact, we’ve started seeing organisations that have previously qualified for cyber insurance no longer able to get it with their current setup.

The challenge for insurers that's driving this is that there's no simple answer to protect an organisation from a cyber-attack. This has led to a lot more technical requirements to getting cyber insurance, some of which we explore below. Without in-house expertise, this can be difficult to understand – we've created a handy jargon buster that explains some of the acronyms and terminology you’ll hear and can provide one-to-one advice on what they practically mean for your organisation.

cyber security insurance, complexity of requirements

Requirements for cyber insurance

The good (and unsurprising) news is that having good cyber security increases the likelihood of being able to get a policy and in reducing the likelihood and costs of a successful cyber-attack.

There are a range of requirements to get cyber insurance and understanding all of them is often easier said than done as it requires a technical understanding of cyber security and broader IT, which not all organisations will have expertise on in-house. Whilst these will vary by provider and policy, general requirements include:

  • Technical setup - do you have technical measures in place to minimise the risk of a successful attack? This can include good patching procedures, tagging external emails, utilising web filtering and network segmentation and implementing best practices in the toolsets you use.
  • Detection & response capability - are you using an Endpoint Detection & Response (EDR) tool (such as Microsoft Defender for Endpoint), do you use a Security Information & Event Management (SIEM) tool, monitored 24/7 by a Security Operations Centre? Do you have network threat detection? Are you collecting logs and analysing them? Do you have an incident response team or retainer?
  • Protecting employees - are employees well trained, with regular security awareness and phishing training? Similarly, do you enforce the Principle of Least Privilege (POLP) at all times and use Multi-Factor Authentication (MFA)?
  • Protecting data - do you have Business Continuity Plans (BCP) and Incident Response (IR) plans and are they tested regularly? Do you run full and incremental backups and test their restorability? Do you know what technology and types of data reside within your wider supply chain?

Not all of these will be hard requirements and they will vary by provider, but increasingly we’re seeing organisations actively being unable to get insurance without many of them, including a 24/7 SOC service. It’s worth noting that this doesn’t have to be as expensive as perhaps it once was. For example, e2e-assure offer 24/7 detection and response coverage from £1,000 per month.

Help getting cyber insurance

In response to the challenges organisations are facing in getting or renewing cyber insurance we have created a specific service that combines the advice and consultancy you need as well as the technology and services to fill any gaps. Most of the time we can provide immediate assistance by simply walking you through configuring your existing technology or help you utilise features you may not be aware of so that you can confidently answer the questions and become more secure.

Our experts guide you through the questions, identify the easiest, quickest and cheapest way of conforming and then help you implement the solution. We identify gaps and work with you to fill them cost effectively. We are not here to sell you some more software; we are here to make you more secure, help you get cyber insurance and do so as cost effectively and with the least effort possible.

The outcome is you are more secure, insurable and can reduce your business risk. We can also help you achieve compliance and certifications like Cyber Essentials, Cyber Essentials Plus+ and PCI along the way by identifying where you are already meeting the requirements or where you will be once changes are made. We make it simple for you by offering a well-tested process:

  1. Discover - Book a free, no obligation consultation to discuss your situation and perform a brief discovery exercise where we can quickly understand your current situation and challenges.
  2. Design - We then create a proposal and take you through it. This is a fixed price, cost effective proposal designed to re-use as much of your existing technology as possible and help you identify the most cost-effective way to implement solutions. Again, there is no charge for this.
  3. Advise - We will provide you with honest, transparent advice and make it as straightforward as possible to understand the gaps in your security?
  4. Build - If you choose to proceed, we can offer a 24/7 SOC service for an initial three month period where we get you insurable, get our services in place and you can then decide to continue with us after that period or walk away. Clearly, we want to have an ongoing relationship with you; to be your trusted cyber advisor, or cyber partner for the long haul but that’s up to you.
  5. Improve - We will provide your business with a cyber maturity rating and recommendations for improvements over time that are easy to understand, actionable and affordable. This should feed into or become your cyber security strategy, aiming for continuous improvement, not a magical overnight fix.

cyber security insurance, cyber security as a business enabler

Cyber security as a business enabler

With these steps in place, you may then start to see cyber as a key business enabler and asset. Many of our customers see this through our cyber maturity programme; cyber ceases to be an unknown, unquantifiable cost, and a money sink and instead becomes something that you can see the value in, and so can your customers, stakeholders, board and supply chain.

By showing that you take cyber security seriously and are better than your competition, you can start to win new deals and retain existing customers, evidencing that you’re not a weak link in the supply chain. This is especially important as supply chain attacks are ever-growing in quantity and impact.

In addition to this, by working with the right partner, you can have confidence that whatever business changes you make will be protected by the best. For example, working with a tech agnostic partner means you can change your technology strategy and remain covered. In addition, new mergers and acquisitions come with less risk with a partner that can quickly mobilise to cover new organisations in hours, when an organisation may be at the highest risk of an attack.

Working with e2e-assure

If you want to be the best in your sector at cyber security we can help; equally, if you just want to do enough to be insured, we can help with that too. Whatever your requirements, you will be in control of your cyber risk and feel assured that together we’ve got this – with our expert Analysts watching your back 24/7 you will sleep easy and be able to focus on the next biggest priorities for your organisation.

We’ve already seen the cyber insurance goalposts move in recent years and this backs up the way we've been working with customers for many years: whilst there will be a burning platform for change, we don’t stop there. We work with customers to improve their cyber security posture over time, with our cyber maturity programme. We help organisations to minimise their risk and make cyber that business enabler. We reduce the chances of a successful cyber-attack, through initial prevention to detecting and responding to incidents, 24/7/365.

We've refined this approach over the last decade and our advice is to tackle this now and start your cyber journey with us ASAP. It’s significantly easier and cheaper to start building your cyber security strategy today and iteratively improve it over time.