implementing the above can help organisations to secure insurance and start better protecting themselves, certain industries will have their own regulations that need to be met – such as the Telecommunications (Security) Act (TSA) for Network Operators – and it is unlikely that Insurance companies will accept those that don’t comply with Government legislations. Is cyber insurance worth it? Ultimately, there is no ‘yes or no’ answer to whether cyber insurance is worth the cost. It comes down to the details of the individual policy and will require an in-depth investigation into exactly what will be covered, any stipulations and limits included in the contract, and the price of the premium. One of the many elements that should be considered is that in the event of a breach, some Insurers will insist on choosing the company that investigates the attack themselves. And while that may not seem like a big deal initially, it becomes more of an issue when combined with the recent exemptions around state-sponsored attacks, giving the Insurance company the power to determine if there is a link to a nation-state or not – and ultimately if that affects the eligibility of the claim. Organisations, therefore, need to ask themselves whether they are comfortable with this and whether they are happy to trust the results of the Insurer’s investigation, particularly if they have their own means to investigate a breach – be it their own technology, or an existing relationship with an attack remediation company – as an insurance company may reject findings that differ from its own. This may draw the level of worth provided by cyber insurance further into question. What is, however, without a doubt ‘worth it’ is ensuring your cyber security continues to be at a level where its eligibility for insurance couldn’t be brought into question. As the threat landscape continues to grow, businesses need to remain aware of the evolving threats, and increase their security measures alongside them, so they can continue to protect themselves, their business partners and their customers from attack. And while cyber insurance requirements themselves shouldn’t be used as a base level for an organisation’s security, the higher bar being set does indicate the need to reassess levels of protection. Furthermore, as additional security compliances are imposed on some sectors, such as the aforementioned TSA and the EU’s DORA (as well as a likely UK equivalent) for Financial Services, reviewing and upgrading security measures isn’t just important for protecting your business – it is becoming a more important part of the criteria for companies assessing their 3rd party suppliers. The bottom line Ultimately, the choice to take out cyber insurance will come down to the cost of the policy, the level of cover you’re able to receive and any stipulations or exemptions. Nevertheless, whether you are insured or not, paying attention to the requirements for cyber security – both from insurance companies and Government regulations – is of utmost importance. Adhering to security guidelines, such as cyber essentials and cyber essentials plus, can help to strengthen your security environment, while regular testing of cyber defences can determine any areas of your security that need to be upgraded. This will not only help your organisation qualify for cyber insurance should you want it, as well as likely reduce your premium, but it will also majorly reduce the chance of a successful breach. Insurance or no insurance, the threat landscape is evolving, and your security measures need to evolve with it. “As the threat landscape continues to grow, businesses need to remain aware of the evolving threats, and increase their security measures alongside them, so they can continue to protect themselves, their business partners and their customers from attack.” Finance Monthly. F i nanc i a l Innov a t i on & F i nTech 43
RkJQdWJsaXNoZXIy Mjk3Mzkz