The UK's cybersecurity agency has set out advice for companies considering taking out insurance against hacking and ransomware attacks.
Cyber insurance can help businesses to recover after a ransomware attack or data breach by providing financial support to put the damage right, and can also help with legal and regulatory headaches after an incident.
But as the National Cyber Security Centre (NCSC) notes in its new guidance, this insurance will not fix your security issues, and won't prevent a breach or attack taking place. "Just as homeowners with household insurance are expected to have adequate security measures in place, organisations must continue to put measures in place to protect what they care about," it said.
SEE: Network security policy (TechRepublic Premium)
Almost half of UK firms reported a cyberattack over the past year, but take-up of cyber insurance by businesses still remains low. Cyber insurance might not be right for everyone and it can never replace good security practice, said Sarah Lyons, NCSC deputy director for economy and society engagement.
NCSC poses seven questions for senior execs at organisations considering cyber insurance:
- What existing cybersecurity defences do you already have in place?
- How do you bring expertise together to assess a policy?
- Do you fully understand the potential impacts of a cyber incident?
- What does the cyber-insurance policy cover (or not cover)?
- What cybersecurity services are included in the policy, and do you need them?
- Does the policy include support during (or after) a cybersecurity incident?
- What must be in place to claim against (or renew) your cyber-insurance policy?
The NCSC said most insurance offered covers the immediate effects of an attack on an organisation by working to quickly restore network systems and data, while seeking to minimise losses from business interruption. With data breaches there might be legal action from customers or others affected, and defending or settling those claims would also normally be covered.
However, it also said potential buyers should make sure of what is excluded: for example, some insurance policies will not cover money lost through business email compromise fraud. As cyberattacks are constantly evolving all of the time, companies should also check that new types of cyberattack are covered. It's also worth investigating what services the insurer provides in the immediate response to an incident to help manage recovery and improve resilience – and to learn what went wrong.
Some aspects of cyber insurance are more controversial; in a number of cases, insurers have paid the ransoms demanded by ransomware gangs, which critics have said will encourage more attacks in the future. Insurers argue that such payouts are made at the request of their clients who are often faced with a tricky choice between paying off the criminals or a long and complicated job of restoring their computer systems or building the network again from scratch – which might be far more expensive.