If you’re concerned about the impact a cyber attack could have on your business, you’ve got the right things on your radar.

UK government research found that over 40% of businesses and 30% of charities were attacked in the previous year, and the costs for serious attacks ran into the £000s. These are genuine risks, and it’s wise to be aware of them.

Can cyber insurance help?

Hiscox say that cyber insurance is “designed to protect your business from threats in the digital age, such as data breaches or malicious cyber hacks on work computer systems.”

So buying a cyber insurance policy is one of the things you can consider to give you peace of mind, should something serious happen. But a lot of the organisations that have been attacked had insurance in place, and it didn’t stop them from being attacked. So how much protection does cyber insurance provide?

Initially, we need to go back to basics and remember what insurance, of any sort, actually is. HSBC state that “it can’t stop bad things from happening. But if something unexpected does happen, it means you wont have to pay the full financial cost on your own”, and continues to say that it “is all about managing risk”.

Managing risk

What this means in practice is that, like many other things, you need to manage the cyber risks your organisation might face, and as part of that you might consider cyber insurance, but having insurance in place does not mean that you don’t need to manage the risks. In fact, in theory at least, the better you manage your risks, the less insurance will cost.

The same research noted above found that small businesses were increasingly alert to this, with:

  • Just under 50% doing cyber security risk assessments;
  • Almost 60% having a cyber security policy; and
  • Just over 50% having business continuity plans.

Having these types of things in place will help to ensure that you understand your risk profile, and from that, how to protect your systems, your data and your business from cyber threats.

The National Cyber Security Centre clarify that “cyber insurance will not instantly solve all of your cyber security issues, and it will not prevent a cyber breach/attack. Just as homeowners with household insurance are expected to have adequate security measures in place, organisations must continue to put measures in place to protect what they care about.”

The areas that insurance doesn’t cover

There are also many things, following an attack, that insurance cannot alleviate, including for example:

  • The stress for business leaders, trying to decide what to do and how to do it;
  • Disruption to workflows and business activity;
  • Communications with clients and other stakeholders if data has been exfiltrated;
  • Loss of client confidentiality;
  • Reporting to the ICO and other bodies;
  • Failing to adhere to legal and regulatory requirements;
  • Reputational damage to the organisation; and
  • Lost time and potential erosion of staff goodwill.

Prevention is better than cure when it comes to cyber security, and in most cases is also less costly.

How to improve cyber security and manage risk

There are two key, government-backed schemes that organisations should be aware of in this regard:

  • The Cyber Governance Code of Practice; and
  • Cyber Essentials.

The Cyber Governance Code of Practice is intended to support boards and directors in governing cyber risks. It’s designed for medium and large organisations, however the principles can be effectively used in small businesses.

Cyber Essentials is a scheme developed by the National Cyber Security Centre (NCSC), the cyber security agency of UK government, to define, promote and assess good security practices.

UK government state that “Cyber Essentials, together with the Cyber Governance Code of Practice, set out the minimum standard that organisations should have in place to manage their cyber risk.”

An important point to note is that, when a UK-based organisation with a turnover of less than £20 million achieves Cyber Essentials certification they are entitled to cyber liability insurance (liability limit of £25,000) at no additional charge.

For many organisations then, a good starting point may well be:

  1. Taking the key principles from the Cyber Governance Code of Practice and using this as a leadership-level risk management and strategy tool; and
  2. Completing Cyber Essentials certification and obtaining the cyber liability insurance.

How can Think IT help?

At Think IT we have a high level of cyber security expertise, to CISSP level, and we support many clients with all areas of cyber security.

We can help you with embedding the Cyber Governance Code of Practice and obtaining and maintaining Cyber Essentials: just get in touch with us.