Information is key...for a business that is looking to take out or renew a Cyber insurance policy this year - more than it ever has been before. 

And the reason is obvious, an industry that is plagued by ever more sophisticated cyber attacks (particularly in the form of ransomware) has to carry out the proper amount of due diligence in order to be able to effectively hand out the risk transfer. This - in my opinion - is a great way of combatting the prevalent threats that businesses face with regards to the network security and is the cyber insurance industry's best means of encouraging security for its clients - if you want cover, you have to be able to demonstrate a capable security management and outlook.

The insurance industry as a whole frequently gets a bad rap. In cyber, a previous public lament has shifted from “Cyber doesn’t pay claims!” to the present “Ugh, cyber keeps paying ransomware claims!” There has been much speculation (some of which I have posted about) on whether ransomware payments should be made illegal and that insurance payments can worsen the problem.

However, the real issue is not the payment of ransoms: it is usually several steps before this, before even the breach itself...

Most cyber incidents, ransomware or otherwise, could be prevented with proper patching, better employee education, or otherwise securing the digital perimeter. That’s where the cyber insurance industry is most relevant - yes - it is there to cover a business for the financial loss incurred following a cyber incident, but also, by highlighting those necessary steps long before an event occurs - encouraging best security practice for prevention of the incident itself.

An industry that has made its name on being a stickler for detail can 100% drive the needed changes going forward. No multi-factor authentication? No insurance policy for you! Didn’t back-up your systems? Big ol’ ransomware sublimit until that’s fixed.