Should local authorities invest in cyber insurance?
Cyber attacks and breaches are still prevalent since the sharp rise seen at the start of the pandemic.
The 2021 cyber security breaches survey reported four in ten businesses and a quarter of charities having cyber security breaches or attacks in the previous 12 months. Local authorities are just as much at risk as any organisation with one recent attack knocking services offline and amounting to a cost of £10.4 million.?
Whether or not an organisation takes out cyber insurance considers a broader security and risk management strategy. Cyber related decisions impact the entire business, which is why we encourage board-level executives to review cyber security as a strategic priority.
Not even the most comprehensive cover can beat strategic investment in good security practices. However, no combination of either measure provides a cover-all safety net. So even if you believe you're well protected, insurance could still be sensible with all the proper technical controls, policies, certifications, and training in place.?
The balance between the expense of premiums versus the cost of a cyber incident will be different for each provider. So, what role does cyber insurance have to play, and should you invest in such policies??
Time, money and peace of mind?
One of the biggest pros of cyber insurance is the peace of mind that practical and financial help will recover from attacks. However, customers tell us that one of the most significant costs incurred from cyber attacks is the extra staff time required to deal with the fall-out and recovery. One local authority faced a detrimental cyber attack that took four months to recover their IT systems, with services being impacted months on.??
Experts could save you time by getting to the root of the problem and help prevent an incident from spreading. In addition, an insurance company may appoint a third-party incident response or digital forensics company due to a successful claim.?
Insurance could cover the costs of negotiators in a ransomware attack and PR support to manage reputational risk. However, Jisc and the National Cyber Security Centre do not advise paying ransoms. It can also help with legal fees, damage claims in a data breach, or regulatory actions that need completing after an attack. Falling victim to cyber criminals can be extremely costly.??
领英推荐
The full picture
Statistics from Jisc's 2021 cyber security posture survey found that cyber insurance take-up in the education sector is more significant than in other sectors. Unfortunately, though, only 43% of businesses and 29% of charities reported in the 2021 cyber security breaches survey said that they had some form of cyber insurance.?
Since these surveys, we have become aware of several organisations struggling to renew or access cyber security insurance due to providers halting that offer. For example, one organisation have said their cyber insurance premium at renewal had a zero added to it whilst their cover had a zero removed.?
What cover to choose??
Knowing the baseline capability, resources, and skills is vital when exploring cover to use. In addition, brokers will want to understand the level of protection in place. Many will offer favourable rates that can demonstrate defensive measures, such as Cyber Essentials certification. Though warned, policies may not payout if the insured fails to meet agreed protection standards.?
When considering cyber insurance for the first time, you will need to check with several people. First, technical experts, those responsible for the security and business continuity and contracts, will need to be part of these decisions. Then, collectively, this team will need to decide what is covered and not.??
Remember, the threat landscape is constantly evolving, so any policy will need regular review to reflect that and consider changes to the organisation. For example, if the defence capability increases or the expertise and resource in the security and IT teams develops, could the cover be reduced???
Do not limit yourself to meeting the minimum cyber security requirements specified by an insurer; these might not adequately protect the things your organisation cares about. The National Cyber Security Centre's guide to cyber insurance provides comprehensive advice and a checklist to follow.