One of the biggest cyber security myths we hear is “we don’t need to worry about cyber security, because our insurer will handle it.”
It is true that cyber security insurance may handle some things. But it’s not a set-and-forget proposition.
If you’re insuring your cyber security risk, you need to have a clear idea of exactly how much risk you’re insuring, and how much risk you’re taking on as a business. Here’s a few questions to ask your insurer to help you get a better handle on this:
Some insurance companies are cyber insurance specialists, while for others, cyber security is just a small bolt-on to a business that specialises in other types of insurance. By and large, a specialist insurance firm is likely to have more expertise on hand in the event of an incident.
This is related to the first question. An insurer who dealt with 50 incidents in the last 12 months is going to have a lot of expertise and bedded-in processes that they wouldn’t have if they had only dealt with 2 incidents in the last 12 months.
You’d be surprised at how many incidents are not covered in the base policy. For example, social engineering (such as when threat actors convince an accounts person to transfer money) is often not covered in a base policy.
So make sure you have a clear understanding of this. Get your insurer to walk you through exactly what’s covered – and review the policy! This gives a clear idea of how much risk you’re actually insuring. If it’s too expensive to insure every single incident, you can use this as an opportunity to patch cyber security gaps in your system.
Some insurers require you to work with their cyber security specialists in the event of an incident. This is useful to know ahead of time, because you can fold it into your own cyber security strategy.
There’s nothing inherently wrong with an insurer having a preferred provider panel. But you do need to make sure you’re working with people who know what they’re doing. Do your due diligence ahead of time, because you don’t want to find out during an incident that the insurer’s provider isn’t up to your standards.
We’ve seen examples of incidents happening on a Saturday, only for the affected company to learn that their insurer’s provider doesn’t work on weekends. This is unacceptable in a modern ransomware scenario, where hours matter.
You need to know what your insurer’s processes look like, if they have an on-call system, and so forth – essentially, you need to know that if an incident happens, you can get help immediately.
Some insurers take a hands-off view, and outsource everything to specialists. Others are more involved, right down to the level of participating in every meeting. There’s no right or wrong way to do this, but it’s the kind of thing you want to learn before an incident, not during an incident.
These questions are just one way to get a view of the risks you’re taking in your business. How clear is your view of the rest of the business? Download our ransomware guide – four ransomware myths you need to stop believing. It’s a great way to figure out what your risks are, and where you need to get cyber security help, today.
