Thinc insights
How has cyber insurance evolved in response to the ever-changing cyber threat landscape? We invited the experts to give their advice to security-conscious SMEs.
Cyber insurance has emerged as a key consideration for SMEs as they look to protect their assets in a world of rapidly changing threats. That’s why we recently hosted an event with representatives from industry-leading companies in both cyber security and insurance at Thinc HQ.
Read on for their insights on the changing trends in the industry and what your business can do to minimise risks.
Our thanks go to the following participants for their invaluable contributions:
Pete Marshall (PM): We’re very much focused on data protection, but a dramatic change over the last few years has been the fact that data protection has aligned far more significantly with security protection.
If you go back a few years, when people were looking at data protection, it was less invested than other parts of the infrastructure. That’s something that’s changed a lot.
What we’re seeing in many organisations is specific people in security roles where they’re getting heavily involved in data protection related projects, because it’s absolutely critical that the front end has all those steps taken. You play an active role in trying to mitigate the worst happening in the first place.
But more and more people are planning for the fact that while cyber attacks might be captured a hundred thousand times, the one time it gets through, there’s a problem. And that means people are investing in the backend as well.
It can be simple steps like multi-factor authentication, but it’s not just tied into technology. It’s also about those conversations between the business people, the data owners and IT. That means getting a more accurate and concise service level definition of what’s going to be the most critical.
Graham McKenzie (GM): Premiums seem to only be going one way at the moment. The key driver is the business activity. So, if you’re an online retailer, you’re going to typically be paying a lot more than an office. If you’re cash generative through the internet, you’re going to be paying more.
We’d look at how much you’d be impacted by a significant downtime as well as your turnover and whether you have multinational exposure. So, if you’ve got customers all over the world and you have a data breach that you have to defend, there will typically be a higher premium.
The volume of data subjects is another factor. For example, a media company could have two or three million data subjects quite easily. Sensitive data such as financial or medical records are something else we ask about. Hotels could have millions of these records, and they pay a lot for their premiums as they’re a big target for hackers.
Caitlin Dean (CD): It’s all proportional because a question like “do you have a firewall” is quite substantial for a very small SME. If we’re getting into a multinational business, then there are a lot more questions like which firewall it is, how often it’s checked, are you infiltrating it etc.
The question set is very dependent. Statement of fact is traditionally a way of writing policies for SMEs. That’s a set of assumptions that are delivered on the back of a policy that you as a business must be able to comply with. The onus is on you as a business to check those assumptions and let your broker know if obviously you can’t comply with any of those, and we need to obviously refer that back to the insurer.
When you get into bigger cyber policies, you’re then on a proposal form basis, with very personalised information for your company and much more in-depth questions. So, it’s all proportional to the size of the company.
GM: I spent some time with one of the claims managers last week, just going through some of these trends and they were saying that ransomware seems to be on the decline. In 2021, we were paying out between 30 and 50 claims a month. Since March 2022, we’re now between 15 and 25. And because of international sanctions, we can’t pay ransomware and meet demands. So, they’ve now moved away and they’re attacking places like South America.
CD: These aren’t common criminals, these are business people. They know very well whether or not that claim is going to get paid. A lot of insurers are now moving to encrypted documentation because, if a criminal discovers that someone has cyber insurance, then they are then going to be targeted.
It’s almost as though you act as though you’re uninsured, except from internally, so that it’s not used against you.
PM: I had a conversation with someone the other day that didn’t have multi-factor authentication on their core backup system, they just had it for all their users. That’s a massive hole. There’s also the education of users, which is so important. So, there are some quick wins that are easy to do.
Obviously, you measure risk against cost against reward. If you’ve got some data in a cloud environment and you’re not backing it up, and you lose that data, then you can reproduce it. It’s not really a risk unless it takes you forever to reproduce it. On the other hand, if being without access to that data for 48 hours is going to have a significant financial impact, then it’s not that challenging to work out the cost against mitigating that particular risk.
CD: We often find that people say, yes, we’ve got disaster recovery for fire and flood, but they might not have actually built these IT scenarios into that. Often, we’ll sit in front of clients and say, what keeps you awake at night? If it all goes wrong tomorrow, what’s going wrong? And what can we do to help you mitigate that?
Denise Regan: With the SME size product, there are a lot of policies that just roll over and over and maybe the client just never has any contact with the broker or insurer. Our job is to discuss these matters.
At every client’s renewal, no matter how big or small, we always discuss cyber – it’s on the top of the list. And then D&O (directors’ and officers’ liability) comes quickly after that.
Even if we’ve not got the information, we’ll run through a quick check through our electronic systems. We’ll then get a small quote based on these assumptions and then open the conversation and start talking about it. We have these really in-depth conversations trying to think of all of these scenarios and ways to plug these gaps. If you approach us, we’re happy to give a free check on your policy.
Related Topics
Are your systems secure?
Copyright © 2024 Thinc Registered in England & Wales: 04332326. All Rights Reserved.
Enter your details into the contact form below, and one of our experts will be in touch to arrange a time to speak.
If you’re an existing customer looking for support, please e-mail servicedesk@wearethinc.com, or visit our support page where you can download our remote support apps.
