Cyber insurance helps you manage your risk, recover from a cyberattack, and pay any costs that you may have incurred, but that is only if your claim is paid. In the last twelve months, we’ve seen a significant growth in the number of our clients taking on cyber liability insurance. (Not got it yet? Read our guide on why you should have it). In part, uptake is bring driven by increased awareness, in part by increased risk, and in many cases following the experience of an incident. This is great, and we applaud businesses for being more engaged and prepared, but we want to highlight that the next step is, and absolutely should be, how to comply with your insurance policy.
How to comply with your Cyber Liability Insurance
So, you’ve taken out a cyber liability policy. Well done. That’s a great first step. The question is, have you read the small print? Over the last few months, we’ve taken on a few new clients that have cyber liability insurance, but when we’ve asked them for their compliance information, or asked for evidence on the steps they’ve undertaken to comply, some have been unable to answer the questions, and some have never checked if they have the appropriate measures in place. Only a small handful of the clients that we’ve taken on, have fully complied with their policy. Why does it matter? In simple terms, non-compliance means you risk a claim going unpaid. With the average cost for an SME claim being between £4,200 and £19,800 per claim, that could be a really painful mistake. While insurance companies do seek to support businesses, they also have very specific guidelines for when to pay a claim, so failing to comply is the exact reason that your claim won’t be paid.
The terms of your specific cyber policy will depend on the type of policy you have taken out, as well as your provider and their specific terms. It is therefore essential that you have shopped around, compared the different policies on the market and whether they suit your business, and most importantly, have worked through the fine detail of the policy with your IT provider or department, to ensure that you have followed best practice, and comply with all the terms. We are happy to provide advice on your specific claim (speak to our team on 01453 700 800), but in the meantime, here are some of the common, general terms that are usually found in every policy, and which are also best practice for you to apply:
Strong password protocols
Poor password management is the most basic and common form of access management failure i.e. people gaining access to your business. It is important to make sure that passwords are always strong and that everyone in your business follows password protocols. As highlighted by this study, even an 8 letter password can be guessed instantly if it only contains lowercase letters, and can be systematically broken through in 8 hours, even if it contains an uppercase letter, a number, and a symbol. A 12 letter password however would take 34,000 years to break through if it contains a mixture of case letters, a number and a symbol. The National Cyber Security centre meanwhile recommends choosing three random words to make it memorable, adding a mixture of numbers and symbols too.
Best practice also includes ensuring you do not write passwords on pieces of paper, and that they are regularly updated. What’s more, you can enhance password best practice further, by making use of settings within your systems (like internet browsers) to prevent brute force attacks on your system.
It is worth noting that some cyber insurance policies do not explicitly mention password strength or security, however it is considered part of cybersecurity best practice, and will be covered by a general catch-all clause about implementing basic best practice.
Up to date software
As well as improving the user experience, one of the key reasons that software updates are released is to provide patches for known or newly discovered vulnerabilities. These vulnerabilities could be known malware or viruses that exploit a weakness, or vulnerabilities which directly expose data if you know what to search. What’s more, many providers phase out support for old pieces of software, making them ‘end of life’ and leaving the business exposed to new and emerging threats. Your cyber liability insurance policy will most likely include a requirement to not only use current software versions, but to keep them updated.
Use of a firewall & antivirus
Firewalls and antivirus are considered part of routine cybersecurity defences and it is expected that you will have adequate provision in place, and that they will be appropriate to the activities you are undertaking and the systems you use. If you aren’t sure about your software and settings, ask your IT provider or team for information.
User access policies
Many businesses overlook their user policies, on the proviso that if a person is employed by the company, they will act in the best interest of the company. It comes down to trust. The problem is, users present a lot of risks to the business, both intentionally for example through the theft of documents, or accidentally for example clicking a link on a phishing email. Implementing user policies i.e. who can access what materials, as well as monitoring for specific activities e.g. database management, can help prevent rogue access to your systems, as well as protecting your data privacy, and preventing malware attacks from compromising every part of your system. Designing a good quality user access system starts with identifying your user types, your documents, and your risk, and then using appropriate settings to mitigate the risk.
Implement employee training
Human error is the biggest cause of cyber breaches, either through deliberate malpractice such as the leaking or sale of important files and documents, or through accidental error through phishing attacks or the introduction of malware. While deliberate malpractice needs to be managed by adequate user controls, the latter – incidents through human error – can be significantly reduced through appropriate and regular training. Most cyber liability policies will set out an expectation for staff training, but it is usually quite vague – words like “appropriate training” will be used. Some are more specific and detail annual training or bi-annual training, but as yet, they aren’t very specific. That said, at the point of claim, you will likely receive a request to showcase the training that has been undertaken, so it will be essential that you can evidence this across the board.
In our opinion, this is where your reality should far exceed the expectations set out for you by your policy. Although annual training is a common recommendation, research shows that training effectiveness diminishes between 3- and 6-months after training has been completed, with freshness of training being directly linked to ongoing effectiveness. At minimum, cyber security training should really be happening every three months, but our own research and experience with clients has found that actually, monthly bitesize training is the most effective approach, not only increasing the user’s direct knowledge of a subject, but also generally heightening their awareness across the board.
Consider physical access
Although the majority of breaches are fully digital, your cyber liability insurance will ask for an investigation into the incident, its likely source, and an assessment of the ongoing effect. As part of this, they may well ask to see your risk assessment, to highlight how you mitigate certain risks, including physical risks within your office. This includes access to the site, physical access to servers and routers, policy covering media such as USB sticks and hard drives, and policy relating to physically writing down passwords for example. Physical access is the hardest to demonstrate and it may be difficult to identify during an attack, but it will be essential to demonstrate risk assessment and mitigation always.
Need more help?
While this guide provides a helpful introduction to cyber insurance compliance, nothing beats personalised support and advice based on your policy. We can help. Ask our team about our IT audit service and advice on 01453 700 800. In the meantime, you may also enjoy this article from our MD Claire Maddox, about using tools and systems to mitigate risk.