William Thackray, Operations Director, of AGT Computer Services
Cybercrime is now one of the greatest threats to contemporary businesses. Every business model is at risk from the near-endless range of hazards, from ransomware to data breaches and phishing scams, and it only takes the smallest lapse for significant damage to happen, whether financial loss or crippling reputational damage. That’s why so many companies are investing heavily in cyber insurance as well as security. It’s a sensible move, but recently, a growing number of SMEs have had their claims rejected or payouts delayed, mainly because their insurance policy terms were not met.
Where are businesses going wrong with cyber insurance?
Cyber insurance is vital for all businesses, but it’s only viable when businesses adhere to the terms of their policy. Too often, insurance claims are rejected because the claimant hasn’t read the small print. With insurers battling against a torrent of cybersecurity claims, and the value of pay-outs increasing dramatically, it’s only to be expected that providers will enhance their eligibility criteria, and part of that is a focus on what businesses can do to protect themselves. A firewall and employee multi-factor authentication (MFA) aren’t enough to secure cyber insurance compliance. And if you don’t drill into the details and make sure that every box is ticked, you’re not only exposing your business to risk, but paying for an insurance policy that you can never expect to payout.
What influences cyber insurance payouts?
There are so many reasons why SMEs are having their cybersecurity insurance claims denied. But three come up far more regularly than any other.
Underinsurance
This is a bit like buying a product in the Black Friday sales, then expecting an original price refund if you need to return it. If you underinsure any assets – physical or digital – your insurance won’t cover the true value. This is covered by the “average clause” in your small print. But it goes one step further. If your insurer believes the omission to be a deliberate act, they can reject your claim entirely.
Missed security conditions
This is another important – and often overlooked – part of the small print you’ll find in any insurance document. Every cyber insurance policy will come with listed security safeguards, which must be met. If an event happens and your insurer finds that you haven’t met their stipulations, whether that’s a lack of data encryption, the failure to use a VPN for all communications, or certain staff members have failed to activate MFA, your policy will be invalidated.
Exclusions
Not all cybercrimes are equal in the eyes of insurers, and some events simply won’t be covered by some policies. This usually applies to insider threats, social engineering, and third-party breaches, but all insurers have different criteria, so never just assume.
What can you do to ensure your claims are accepted?
The first thing you need to know is that all of the information you need is within your insurance policy. You just need to read and act on it. But maintaining good cybersecurity hygiene should be a priority anyway, because it can keep your business protected rather than rushing to pick up the pieces. So, start with five core security measures, and seek professional support if you need any help with them.
MFA
Everyone should be using multi-factor authentication now, even for their personal email. It’s really easy to implement, whether through codes, tokens, or biometric scans, and it adds an extra layer of protection that passwords alone can’t achieve. Insurers view MFA as a measure of “reasonable” protection.
Regular patch cadence
Software updates so frequently now, and this can be really useful for businesses, but outdated software is one of the most common causes of cyber breaches. Maintaining a consistent patching routine helps to ensure your tech infrastructure is protected against known vulnerabilities.
Audit trails
If you don’t keep a clear audit log for your business, it becomes impossible to detect cybersecurity breaches until the damage is done. You also can’t prove compliance for your insurance claims, which means that you probably won’t receive any payments.
Train employees
People make mistakes, which is why human error will probably always be the biggest cybersecurity risk. You can counter this through regular training, reminding your team of company policy and practice, and using phishing simulations to demonstrate where the risk lies.
Review your policy
Businesses change, and cyber risks change with them. SO don’t view your insurance policy as a static one-and-done activity. Don’t just renew it without looking at the details. By reviewing your policy annually, you can ensure it’s still relevant.
Cybersecurity insurance is your business’ safety net. But it only works if it’s not riddled with holes, and you’re the only one who can fill them. So, take out your policy, make sure that it’s right for you, and follow the small print to the letter. Hopefully, with your security in order, you’ll never need to see if your policy delivers. But if the worst happens, you can be confident that you’ve done all you can to keep your assets protected.
