Estimating and securing IT risks as best as possible is at the top of the agenda for IT and security officers in many companies. Numerous insurers now offer cyber insurance for the companies against theft, hacking, data destruction, extortion, denial of service attacks and so on. Risks under these insurance titles are typically excluded from traditional policies or are not specifically defined in traditional insurance products. The coverage of cyber-insurance policies may include first-party coverage.
IT-related incidents together with business interruptions are among the largest business risks worldwide. To counteract this, it is necessary to reduce the digital attack surface with suitable security measures. Numerous insurers offer cyber policies for the remaining residual risks. Cyber insurance is a kind of safety net if, despite all IT safeguards, an emergency occurs. However, cyber insurance does not necessarily step in when it is needed. The companies have to check very carefully which cyber insurance is right for them when the protection works and under what conditions it expires. Insurers are also demanding that their clients take certain safety precautions. You can find out how companies prepare and what pitfalls they should avoid in the following.
Types of insurance
Most of the cyber insurance providers cover the below issues :
- Cyber attacks and hacking attacks.
- Theft and fraud.
- Cost of legal, technical or forensic services necessary to assess whether a cyber attack has occurred, to assess the impact of the attack and to stop an attack.
- Business interruption.
- Reputation attacks and cyber defamation.
- Computer data loss and restoration.
What should be insured?
The first step is to determine what exactly should be insured. To sort out, some points can be followed by the answers to the questions :
- Which data and information, systems and business processes are ready to accept their loss or damage?
- How should investments reduce cyber risk be divided between basic and advanced protective measures?
- What options are available to help mitigate certain cyber risks?
- What options are available to help transfer certain cyber risks?
- How should the impact of cybersecurity incidents be assessed?
The insurers offer policies based on different criteria. As a rule of thumb, the more sensitive the collected and processed data is, the better it needs to be protected. At least, some of the general safety standards that insurers generally require are :
- Antivirus programs must always be kept up to date.
- Data must be backed up at least once a week.
- Updates and security patches for software and plugins should be installed as soon as possible.
- Company servers must be secured by a firewall as well as security monitoring and intrusion prevention solutions.
- Companies have to set up IT administrator access and strictly limit access rights.
- Individual employee access must be set up with your access data and collective accounts with standard passwords avoided.
- Users should be forced to use complex passwords (minimum length, digits, upper/lower case, special characters, regular changes).
- Mobile devices and data carriers must be fully encrypted and secured with their passwords or two-factor authentication (2FA).
- Tampering with the backup copy must be prevented by keeping it physically separate from the server. The so-called 3-2-1 rule applies to critical data: three copies should be stored on two different media in the company and at least one copy outside the company.
- The backup data should be checked regularly to see if it can be restored.
The scope and content of the questionnaire should be adapted to individual risks.