Cyber insurance: Are you fully covered? 

Cyber insurers have raised the bar on the security standards they demand from policyholders as they seek to get a handle on hefty losses incurred following a huge increase in claims. A report from Marsh insurance details that the number of ransomware-related claims rose to 77% in the first quarter of 2023. Many businesses now find themselves either scrambling to implement new security measures, or unaware that their policy might be declared null and void in the event of a cyber-attack or breach. 


Why are new measures being implemented? 

Even before the rise of hybrid working, insurers offering cyber security and cyber liability policies were shoring up their underwriting guidelines and asking more questions of the businesses applying. After the pandemic hit and entire workforces became remote, many cyber criminals took advantage of new security vulnerabilities with ransomware, phishing and other attacks increasing. In 2020 alone, 46% of UK businesses identified that they’d been targeted by a cyberattack, and insurers were paying out more regularly than ever before.  

In an effort to recoup some of these losses, many insurers have recently implemented huge hikes in premiums and tightened the required security standards for policyholders. 


What security measures need to be in place? 

Individual insurers will have their own underwriting guidelines in place, but few will approve policies for any business that isn’t meeting the most basic of security standards. Cyber security is already a high priority for most businesses, and insurers expect applicants to have at minimum the following measures already in place:  

  • Least privilege access management 
  • Vulnerability scanning 
  • Anti-malware protection 
  • Firewalls and DMZs 
  • A business continuity plan 
  • Staff training, data protection and IT security policies 
  • Clear sight of sensitive data, including PII and PCI records 
  • Defined recovery time and recovery point objectives 


New insurer demands 

With the hardening of the cyber liability insurance market, businesses are now being asked to go further than mere best-practice with their cyber security. The current climate is such that UK insurer Beazley has launched a world-first £37 million ‘cyber security bond’ designed to help it eventually provide billions of dollars of reinsurance cover. With potential financial implications of this size, insurers are keen to see businesses playing a bigger role in mitigating the risk. In addition to this, many insurers are insisting businesses have these key risk controls set up:   

  • Advanced Endpoint Detection and Response (EDR) protection 
  • Multi-factor authentication for all remote users 
  • Multi-factor authentication for access to all cloud-based services, such as Microsoft 365 
  • Tight control on open ports 
  • Network segmentation 
  • Offline or immutable backups 
  • Critical software and firmware patching in less than 14 days  
  • No legacy or out-of-support systems, or robust mitigation where these are still used 
  • Web Application Firewall (WAF) for high-risk websites, such as login areas for data portals or customer online sales sites 


Better protection for businesses… and insurers 

Insurers offering cyber security cover are fast becoming drivers for improvement in business cyber security, though – while they want to protect themselves against financial losses, they are increasingly pointing businesses in the right direction of protecting themselves.  

Many insurance providers now have dedicated in-house cyber security teams, who are driving change that not only better protects businesses but makes policy claims less likely. For that reason, many underwriting guidelines go much further than even the requirements mentioned above. Depending on the size of the business and the level of cyber risk (ie. the value of data being held, and the likelihood of the business being targeted), some insurers may also require businesses to implement further measures, such as: 

  •  Data Loss Protection (DLP) 
  • Intrusion Detection and Prevention Systems  
  • Network Access Control 
  • Application whitelisting 
  • Dark Web intelligence 
  • Security Incident Event Management systems 
  • A Cyber Incident Response Plan (CIRP) 


The critical importance of Cyber Incident Response Planning 

More and more insurance providers are asking the businesses they cover to provide assurance that they have a Cyber Incident Response Plan in place.  

 A CIRP is a formalised document that details everything that needs to be done – and by whom – in the event a business’s systems are affected by any type of cyber incident, from data breaches to network outages. Without a detailed CIRP in place, priorities can be missed in the response phase, key steps can be forgotten, and there’s an increased chance of expensive mistakes and omissions being made. Insurers are keen to limit the damage caused – and the cost of their payouts – by a cyber incident and are writing CIRPs into policy requirements. Businesses without one in place may struggle to get insured or may even find their policy declared void when it comes to making a claim.  


Read more: Write your Cyber Incident Response Plan with our downloadable guide 


Shop around and do your homework 

The most important thing for businesses to note is that the rules have changed quite dramatically. Those that are looking to take out or renew a cyber security or cyber liability policy will need to do their homework first. Inertia at policy-renewal time is a time-worn tale among both businesses and individual consumers, but the cost of maintaining the status quo is increasingly high. If you don’t have the right firewall protection or haven’t got a cyber incident response plan in place, you may now find yourself unable to claim under your policy. It’s worth shopping around for cover that offers not only better protection in the event you do need to make a claim, but also stronger guidelines for how to better protect your data and systems in the first place. 


With in-house security experts on hand, insurers are increasingly building their policies with prevention in mind and offering an enhanced range of wraparound services. Businesses can now benefit from good cover, as well as support services that range from forensic investigation in the event of a breach to crisis management and reputation handling. 


Protecting your business, 24/7 

In a time of increasingly frequent and sophisticated cyberattacks, it’s crucial for businesses to have the right protection in place – and that means not just having adequate cyber security measures in place, but ensuring all insurance policy requirements are being met. At M247, we can help protect your systems against cyber threats with our range of security services and solutions from next-gen firewalls and DDoS protection to data management and backup. We can also carry out a full security audit to make sure your business is meeting all the requirements of your insurance policy. 


Get in touch today to arrange a discussion with our expert security teams. 


More news

Sales: 0808 253 6500

Support: 0161 822 2580

Email us

To find out how our technology can transform your business get in touch