‘Cyber maturity’ is not a term with which every business will be acquainted. But for one expert, it is key to gauging the scale and reach of an organisation’s cyber-insurance plan.

“It is important not to think of cyber in static terms, as purely an insurability issue,” says Eric Alter, Senior Vice President and UK Corporate and Commercial Risk and Cyber Engagement Leader at Marsh. “It’s a corporate governance issue. It’s a directors and officers issue. It’s an errors and omissions issue. And it’s a reputational issue.”

Alter explains that a cornerstone of health and safety insurance is a test of defensibility, whereby a qualified individual will comb through an organisation’s policies and procedures and assess its ability to withstand certain types of claims. Amid an insurance culture in which people may be tempted to chance their luck on claims loaded with wild assertions, an organisation must nonetheless be equipped to defend itself on credible grounds.

Cyber is starting to go exactly the same way, Alter explains. Where organisations are routinely using end-of-life hardware and don’t have safeguards such as multifactor authentication, endpoint detection and response, full patching capabilities, and vulnerability scanning, they are potentially leaving themselves open to cyber attacks.

He elaborates: “Now, you may have an insurer who says, ‘OK, we’ll put clauses in your policy to cover those risks.’ But the fact is that if you suffer an attack, and it becomes clear that it succeeded because of a lack of investment in enhancing your cyber security posture, then the investors and clients whose data you may have compromised could pursue your board via a directors and officers policy. That’s extremely serious.”

A question of governance

Alter also stresses that organisations must manage cyber as an intrinsic part of their environmental, social and governance (ESG) regime. For example, if a manufacturer works with pollutants and suffers a hack on its physical assets that triggers a leak of chemicals into the water table, that would contravene the ‘E’ part of the equation. A failure to protect staff and customer data from being infiltrated in a hack would be in breach of the ‘S’.

It’s when we get to the ‘G’ that the scenarios become particularly concerning. “A big issue is that lots of organisations don’t understand what cyber means in governance terms,” Alter says. “Cyber isn’t just about your laptops, mobiles and internet service. Cyber is about an attacker going after your building management system and knocking out ingress, egress, fire detection, fire suppression, lighting, cooling and heating – or disrupting day-to-day operations by using ransomware.”

Attackers could also try to harvest sensitive client or employee data to use against you. In a cyber attack in Finland three years ago, hackers pursued records of around 30,000 patients of a leading psychotherapy provider. It then sent them ransom emails threatening to expose details of their conversations with therapists unless they paid up. “Imagine having mental health difficulties and going through something like that. So, from a ‘G’ perspective, cyber goes to the very heart of your operational credibility.”

Addressing the fallout

As such, Alter says, a robust and effective cyber insurance policy should provide coverage and other relevant provisions across seven key areas:

1. Post-attack forensics – experts who will come in and help your business address the fallout of a hack, and work out in detail exactly what happened;
2. Incident response services – other third parties who will provide recovery support;
3. Business interruption – downtime stemming from a hack, during which your company has been unable to trade;
4. Restoration and reinstatement – should your servers need to be wiped clean and rebuilt;
5. Irreparable damage to machinery and/or software;
6. The ability to pay ransom, and
7. Legal liability.

But pay attention to the small print. “What we’re now seeing is insurers implementing sub-limits and co-insurance clauses,” Alter says. “A sub-limit is where the insurer will say, for example, ‘OK, we’ll write you a £5m limit – but we’ll set a £2m limit for business interruption or ransom coverage.’ And they may request co-insurance if you don’t have the appropriate systems, such as multifactor authentication or privileged access management controls.”

Using the correct lens

Looking at how businesses should factor a cyber insurance policy into its broader financial management and budgeting programmes, Alter highlights three main areas for senior teams to consider.

“First, assess what the policy gives you,” he says. “For instance, if you need a £1m policy, but the premium, deductible and co-insurance clauses and sub-limits mean you can’t access that policy until you’ve spent, for example, £750,000, there’s no point buying £1m of cover. Second, there may be contractual obligations to have cover in place – so, you need to work out the value of the contract against the value of the cost of the cover. If the cost of the cover significantly exceeds the value of the contract, you may be better off walking away from the contract.”

As a third point, Alter notes, a business must consider what action to take if cyber cover is unavailable, because there’s no appetite to underwrite the risk. “Perhaps you’re working in a sector that’s affected by high-frequency and high-impact attacks, and insurers say they’re not prepared to cover that risk. So, what’s your alternative risk-transfer methodology? Do you look at, say, setting up an escrow account, or investing in surety bonds?”

Overarching those points, though, Alter stresses that senior management teams must look at insurance financing through the correct lens. “Don’t see cyber insurance as a cost,” he says, “but as an investment. A finance director may say something like, ‘We’ve got a building that’s worth £100m and I’ve been paying a premium of £1m a year on it for 10 years and I’ve never seen anything back from it.’ But you have: the ability to sleep at night.

“So, make sure you understand the limit you’re buying – and that it’s relevant to the loss you’re trying to protect.”

Vital controls

In the UK, the National Institute of Standards and Technology (NIST) has developed best-practice protocols for information security. Based on NIST’s measures, Alter highlights 12 key controls that every company should put in place to ensure it is coverable – or, in the event that it is not, that it will be in a position to deal with a claim:

1. Multifactor authentication

2. Email filtering and web security

3. Secure, encrypted and tested backups

4. Privileged access management controls

5. Endpoint detection, response and recovery

6. Patching and vulnerability management

7. Incident response plans

8. Cyber security awareness training and phishing testing

9. Remote desktop protocol mitigation and further systems hardening

10. Logging and monitoring network activity

11. Replacement of end-of-life hardware as much as possible

12. Digital supply chain cyber risk management

As an ICAEW Member Rewards Partner, Marsh Commercial provides members with cyber insurance for the specific threats that chartered accountants face.