It’s also important that organizations view a cyber insurance policy as a partnership opportunity to improve overall security risk strategies, Rose and Bailey agree. “It can be so much more than just risk transfer,” Bailey says.
“Insurance firms could be at the forefront of a new wave of ‘baseline standards’ which could be much more dynamic and responsive to the threat landscape than any international standard or industry regulator,” Rose adds.
What do cyber insurance companies expect from customers?
If an organization applies for a cyber insurance policy, some key factors can prove integral to success. This comes down to being able to display that a business can meet the security control requirements that insurers now look for when considering a potential policyholder to ascertain their risk status. Insurers typically assess security controls by asking applicants to complete detailed questionnaires.
Sound cyber hygiene is key here, says Bailey. “This includes a robust backup strategy, multi-factor authentication at all critical access points, and strong patch management. We also continue to see the power of scanning technologies and proactively shoring up vulnerabilities.” Larger, more complex organizations will likely require heavier analysis from underwriters due to the intricacy of their network security and decentralization of their infrastructure, she adds.
Richard agrees, saying that demonstrating that your organization has a staff training awareness program, never transfers money on receipt of an email/phone call until full verification has taken place and has paid for anti-virus and endpoint protection are also important. For guidance and support, he advises businesses to speak to an insurance broker that is experienced in cyber and can explain in simple terms what it is you need and what you should be looking to do. “There is already too much jargon in insurance, it does not need to be made more complicated by adding confusing tech terms to it.”