NCSC Offers Seven-Question Guidance on Cyber Insurance

New guidance has been produced on cyber insurance to help organizations considering investing in cover.

Published by the National Cyber Security Center (NCSC), the guidance highlights seven key cybersecurity questions for businesses to address to help them make more informed decisions around cyber insurance.

The NCSC said, after calls for expert technical advice on the growing cyber insurance market, it made the decision to offer the following questions for senior leaders within organizations:

  1. What existing cybersecurity defenses do you already have in place?
  2. How do you bring expertise together to assess a policy?
  3. Do you fully understand the potential impacts of a cyber-incident?
  4. What does the cyber insurance policy cover (or not cover)?
  5. What cybersecurity services are included in the policy, and do you need them?
  6. Does the policy include support during (or after) a cybersecurity incident?
  7. What must be in place to claim against (or renew) your cyber insurance policy?

Sarah Lyons, deputy director for economy and society engagement at the NCSC, said: “Businesses rightly want to be as informed as possible before they invest, but when it comes to cyber insurance, there simply hasn’t been enough information up to now. That’s why it’s so important for the NCSC, as the UK’s leading cyber-authority, to offer its support by providing some clarity on the key issues to consider to ensure cybersecurity.

“Cyber insurance may not be right for everyone and it can never replace basic good security practice, but I would urge businesses to consider our guidance to help make the decision that’s right for them.”

The guidance was welcomed by two UK insurance associations, the British Insurance Brokers’ Association (BIBA), and the Association of British Insurers (ABI), while Andrea García Beltrán, cyber-manager (underwriting) at the UK & International Division of RSA Commercial, said organizations are increasingly considering the purchase of cyber insurance as part of their cyber-risk management approach. 

“As a result, the NCSC is frequently asked about cyber insurance by customers, however, they cannot provide advice on insurance solutions or products, so they have decided to create guidance considering a wider approach to cyber-risk management by focusing on the cybersecurity elements of cyber insurance,” she said.

“From our perspective, we welcome the guidance specially because not all buyers are sophisticated and we cannot provide advice either.”

She said this will help organizations to have a better understanding of: 

  • Actions needed from the risk management point of view prior to transferring the risk to insurers
  • What to expect during the insurance purchase process
  • Who needs to be involved from the company side; ultimately cyber is an enterprise risk 
  • Role of the insurance broker or agent
  • Overall information needed by insurers to be able to assess the risk

“Last but not least, this guide helps to clarify that cyber insurance is part of a robust cybersecurity resilient strategy and not the only solution to the evolving risk and exposure,” she added.

Steve Durbin, managing director of the Information Security Forum, said: “Cyber-risk is a growing concern for organizations around the world, as data breaches make headlines with increasing frequency and the resulting financial and reputational costs mount. Risk management as an effective way of addressing these concerns is absolutely key for all organizations during these times of pandemic and recession – many of the secure architectures and structures previously adopted may have changed and ensuring that the way of working today has been risk assessed is a key task for security professionals.

“Increasingly we have seen companies turning to insurance as a means of mitigating costs associated with breaches and the rise in ransomware amongst other threats has pushed many boards into considering cyber insurance. However, insurance is no excuse for poor security and focus should first be on ensuring a robust security posture that reflects the needs of the organization before rushing headlong into taking out insurance as a means of mitigating risk.”

Dubrin recommended organizations adopt a robust, scalable and repeatable process to address information risk – obtaining assurance proportionate to the risk faced in which insurance may play a role. “Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that assesses the threat vectors from a position of business acceptability and risk profiling,” he said. 

What’s Hot on Infosecurity Magazine?