Call us on 03450 21 21 51

SRM Solutions
The SRM Blog

Cyber insurance may be null and void without ‘due care’

Share this article

There is a worrying trend in the world of cyber safety. Many companies believe that cyber insurance will protect against any damage associated with a breach. It is vital that senior board members are aware, however, that if they fail to take reasonable precautions their insurance investment could well be null and void.

Leading business insurer Allianz estimates that the cyber insurance market in Europe alone is on track to be worth nearly $1 billion by the end of 2018, mirroring the rapid expansion of the US cyber insurance market. Although the global insurance industry sees it as a valuable new market full of opportunity they are, predictably, measuring their response with caution.

Cyber insurance has, in the past, been considered a safety net in the event of a breach. But as the incidence of cyber breaches continues to rise so has the level of caution demonstrated by both the government and the insurance industry. In fact, while governments are promoting the cyber insurance market, especially in the US and the UK, they are also using the insurance market as a lever to drive much needed cyber security improvements in the business sector.

According to Phil Huggins, Vice President of Security Science at Stroz Friedberg: ‘Their [the government’s] expectation is that this will align risk assessments with good practice, while incentivising good risk management, thereby reducing the need for direct government involvement and regulation. The recent launch by the UK Government of the ‘UK cyber security: the role of insurance in managing and mitigating the risk’ report is just the latest manifestation of this strategy.’

The strategy is working. Insurers are incentivising behaviours that reduce the potential for harm, including the term ‘due care’. This refers to the precautions ‘a person of ordinary prudence’ would take to safeguard their systems. Demonstrable cyber resilience has become a requirement for cyber insurance and this in turn is driving an increased demand for Retained Forensics.

The essence of Retained Forensics is to develop cyber resilience through the engagement of a small team of industry professionals who are fully briefed about the scope of an organisation’s network and infrastructure. This enables them to:

  • establish, direct and manage a full test and exercise programme;
  • ensure high level management of cyber defences across all network and infrastructure;
  • be on hand and ready to assist in putting the agreed action plan in place in the event of a breach. In this way, the 72 hour reporting element of GDPR will be achievable and the mitigation process will be well in hand before the deadline.

SRM has an international reputation for providing the full range of Retained Forensics services including automated and manual penetration testing, Red Teaming, Incident Management, Disaster Recovery and Business Continuity Management. Through Retained Forensics, ‘due care’ can be demonstrated making an organisation not only less likely to suffer a breach, but able to demonstrate best practice in the event of an insurance claim.

To receive regular updates on issues relating to cyber security follow us on Linkedin.

See our website.

View our recent live webinar Incident Response & Forensic Expertise – would your business survive a cyber-attack or security breach?

Or check out our recent blogs:

The GDPR compliance fallacy

The A to E of cyber maturity

How PCI compliance puts you on course for GDPR