Effective information security is essential in today’s business world, but there will still be times when your best defences aren’t enough.
Even as organisations prioritise cyber security, the threat continues to spiral. Last year, the number of reported data breaches almost tripled, with more than 2.3 billion records being compromised. We’ve already seen three times as many breached records in 2019, and we’re only halfway through the year.
Organisations need a plan for when disaster strikes, and for many European organisations, the answer is cyber insurance.
What is cyber insurance?
Cyber insurance is a type of policy that organisations can take out that protects them in the event of cyber attacks or data breaches.
Depending on the specifics of the policy, the organisation will receive a financial pay-out to help cover the costs associated with the response effort.
According to Ponemon Institute’s 2018 Cost of a Data Breach Study, organisations spend $148 (about €130) on average for every lost or stolen record. That money goes towards things like notifying affected data subjects, giving them access to complimentary credit monitoring services and hiring a digital forensics team to investigate the incident.
Damages associated with information security incidents generally aren’t mentioned in commercial insurance policies, meaning most providers won’t pay out if you make a claim based on, say, a business interruption.
You must therefore take out a specific cyber insurance policy if you want to protect yourself from the costs associated with cyber attacks and data breaches.
The cost of cyber insurance
As with all types of insurance, the lower your risk, the better deal you’ll get. However, as Gareth Wharton, chief executive of cyber at Hiscox, explains, the process of determining risk is more difficult for cyber insurers.
“Cyber isn’t like car or house insurance where the risks are known and the products haven’t changed that much. The types of risk are changing all the time and there’s no easy way of quantifying the cost of stolen data,” he said.
The insurer is therefore required to assess each organisation in more granular detail. It can’t make simple assumptions, like car insurers, for example, which can simply state that first-time drivers are most likely to get into accidents and set higher premiums.
Wharton explains that cyber insurance rates are determined by things such as:
- How seriously the organisation’s board takes cyber security;
- Whether the organisation has a disaster recovery plan in place;
- How often it tests its security procedures;
- Whether the organisation has technological defences, like antivirus software and firewalls;
- How often the organisation performs software updates and data backups; and
- Whether critical data is encrypted.
This might make cyber insurance sound complicated, but the major benefit is that the rates an organisation receives are in its own control. Whereas a first-time driver can’t persuade an insurer that they are unlikely to get into an accident, organisations can demonstrate the measures they have in place to prevent security incidents.
Get better insurance rates with ISO 27001
The most effective way to prove to insurers that you take information security seriously is by implementing ISO 27001.
The Standard’s main objective is to help organisations create a comprehensive and efficient system for managing the data they collect and the threats they face, which they can do with an ISMS (information security management system).
This is a centrally managed framework that helps organisations manage, monitor and improve their information security in one place. It contains policies, processes and controls that are designed to protect the confidentiality, integrity and availability of data.
Some organisations might be put off by the cost of implementing ISO 27001 (typically €2,500 or more, depending on the size of your business). But this is a small price to pay if you’re planning to get cyber insurance, because you’ll receive much better rates as a result.
Implement ISO 27001 with IT Governance
Anyone looking for advice on how to implement ISO 27001 might be interested in our documentation toolkits.
These bundles contain a selection of guides, document templates, copies of the Standard and software. All you need to do is pick out the right toolkit for you based on your experience and skills.