Given that over 8,900 new businesses were set up in Wales in 2020 - more than double the number launched in 2019 – if you’re one of them, now is the time to protect yourself. Particularly as the most recent government statistics show that 43% of all businesses experienced a cyber breach or attack in the past year.
Business insurance is a must for anyone, but a cyber version is just as important. No matter what sector your new venture is in, whether a high-street coffee shop, a hairdressers, law firm or construction company, a successful cyber-attack can happen to anyone, and the results can be devastating.
Any such attack can have the potential to lead to loss of income as well as facing legal and regulatory actions, reputational damage and perhaps even closing your business down. Because of the risks now being so high, cyber insurance is becoming a number one consideration for business owners.
To help get you started, the NCSC has released new Cyber Insurance Guidance to help you ask the right for your business.
What existing cyber security defences do you already have in place?
It is important for you to identify what within your organisation needs protecting the most and to establish any scenarios that must not happen. Do not limit yourself to meeting the minimum cyber security requirements specified by an insurer; these might not adequately protect the things your organisation cares about.
How do you bring expertise together to assess a policy?
Cyber insurance policies often contain detailed technical information, which can include cyber security jargon. If you don't fully understand the policy, you may need to identify people in your organisation who can help. This may include people who:
- deal with contracts (lawyers/commercial managers)
- manage and run your IT and security systems (technical experts)
- are responsible for the organisation's processes and procedures (such as human resources)
Do you fully understand the potential impacts of a cyber incident?
A cyber incident can impact a business in a variety of ways. It is important to build up a full understanding of how a breach could happen and the effects this will have on your organisation. This includes the financial fallout of business interruption, and the associated costs of response and recovery.
Unlike events such as a fire or theft, cyber intrusions are often not restricted to a single location. Understanding how your organisation operates and the inter-dependencies between different parts is vital to determining the extent of an attack, which may have global implications.
What does the cyber insurance policy cover (or not cover)?
Make sure you understand in detail what the policy covers, and equally important, what is excluded. For example, some insurance policies will not cover monies lost through business email compromise fraud. This is just one instance where a relatively common occurence may not be covered by a standard cyber security policy. If business email compromise (for example) is an issue for you, you'll need to check that your policy covers this.
What cyber security services are included in the policy, and do you need them?
Many insurers will offer cyber security consultancy services and risk management support once you have taken out their policy. This may include providing resiliency planning in addition to financial protection. Making use of these services and the expertise that comes with them, especially if you don't have access to these skills in-house, may help reduce the chance and impact of a cyber incident or breach.
Does the policy include support during (or after) a cyber security incident?
Most cover responds to the immediate effects on the organisation by working to quickly restore network systems and data, while seeking to minimise losses from business interruption. For data breaches, there may be legal action from customers or other affected parties. The defence and settlement of such claims would normally be covered. Certain cyber insurance policies will go further and cover other cyber-related violations such as computer-enabled fraud.
What must be in place to claim against (or renew) your cyber insurance policy?
Most cyber insurance policies are re-assessed every 12 months. The onus is on you to ensure that your organisation's cyber security details are accurate and up to date. It is important for insurers to understand what cyber security measures you have in place and provide any other details they require. As with other insurance policies, you should also let your insurers know when your circumstances change so that you're still covered. If you're claiming that security measures are in place when they're not, the insurer may not be obliged to pay any claims.
Whether you decide cyber insurance is right for your business or not, it should never be a substitute for having fundamental cyber security in place.
The full NCSC Cyber Insurance Guidance provides further considerations for businesses on purchasing cyber insurance.
Here at the Cyber Resilience Centre for Wales, we offer a range of services for businesses to help identify your digital vulnerabilities and weaknesses or, if you are a victim of a data breach, we can run an individual internet investigation that would identify what personal or private information is publicly available online.
We also offer a selection of membership packages that are designed to help your business become more cyber resilient.