The insurance industry has responded to increasing cyber threats to client details, business strategy, financial details, intellectual property, passwords and employee information by offering cyber insurance to supplement existing insurance arrangements. The market is still evolving, but it typically covers hacking, computer system failure and recovery, and business interruption.
Businesses of all sizes may view this as the way to transfer the risks of cyber crime, but it isn’t that simple. There are obligations on what a business has to do for a policy to pay out. A random check on the small print of some policies aimed at SMEs highlighted the following obligations:
- take reasonable steps to apply hardware and software patches
- take reasonable steps to stop unauthorised access to computer systems and websites
- make backups on a regular basis and check their integrity
- close down access to accounts after someone has left
The Association of Business Insurers put this in a wider context and say it is important to manage cyber risks as a business. This includes:
- Evaluating first and third party risks associated with the IT systems and networks in your business
- Assessing the potential events that could cause first or third party risks to materialise
- Analysing the controls that are currently in place and whether they need further improvement
What does not appear to be covered at this time is content on social media channels, data stored in the cloud and issues arising from social engineering attacks.
Cyber insurance is something that every business should look at, but always check the small print
- Does it cover the threats to my business?
- Does it provide the right level of financial cover?
- Can my business meet the obligations?
WADIFF Consulting can help with identifying and reviewing cyber threats and other threats such as ones from social engineering attacks, the level of cover that is required and how to meet your obligations. Contact us to find out more details.