Tom Turner, CEO of IT security service BitSight

Banks needing cyber insurance to protect themselves against security breaches must have proper intelligence about their organisation’s risk rating, said a leading cyber expert.

They must also look into what types of incidents are covered by a cyber insurance policy so that expectation meets reality in the event of a claim, argued Tom Turner, CEO of IT security service BitSight: “For example, how far does your liability extend in terms of employee actions and what are the security standards that you must meet?” he added. “You also need to know if there are any regional restrictions if breaches stem from operations in a different country to your registered headquarters. What are the timeframes within which you are obliged to report a breach, and what speed of response can you expect from your provider? Breaches can take time to come to light and you need to know how your provider will respond to delays in discovery, and what resources they’ll provide to support you in the event of a breach.”

On the other side of the coin, cyber insurance providers will need comprehensive information on a customer’s security posture and protocols, pointed out Turner: “They should seek insight into how proactive an organisation is at protecting against evolving threats, like do they use threat intelligence services and threat hunting to keep on top of emerging TTPs,” he added. “Insurers also need to understand the customer’s exposure to third party risk through its extended ecosystem, incorporating supply chain and M&A activity. They need to be alert to material changes that originate in the wider ecosystem so they can make informed underwriting decisions.”

As cyber insurance in Europe matures, Turner expects to see carriers developing their provision beyond basic risk transfer: “They will be offering post-incident services and support for customers that suffer breaches and should also look at providing tools to help businesses monitor risk more accurately as part of a trusted partnership between insurer and insured,” he concluded. “Much of how the market develops will depend on how cyber claims and litigation unfolds in the real world and insurers will be closely monitoring the first cases to come out of GDPR breaches to see how the regulation will be interpreted. Insurers will be working towards greater clarity in policy wording and exclusions, so that companies can be confident that they have a policy that will meet their expectations in the event of a claim.”

by Guy Matthews