(4 min read)
So screamed a headline, quoting Mario Greco, chief executive at global insurer Zurich.
The short answer is no. While the cyber insurance market is reacting to increasing risks, and re-evaluating how it prices cyber risk, the market itself will not disappear. Some risks will be uninsurable, of course, or will have exclusions that may not make insurance particularly useful, but like any insurance product, it depends on how risky the insured party is and what is included.
No company – or organisation – is safe from a cyber attack. Companies of all shapes and sizes – from SMEs to the world’s largest brands – have already become victims of cyber crime in 2024.
So it’s unsurprising that insurers – who once used to ‘bolt-on’ cyber insurance to a business insurance policy – now expect businesses to prove they are taking a serious approach to keeping criminals out.
In the same way you won’t get home insurance if you don’t have a lock on your front door, you will now find it trickier to get good quality cyber insurance if you haven’t thought about your protection strategy.
In a useful article, the insurance broker Marsh highlights the six requirements you need to pay attention to if you want to get cyber security today. These include Security Awareness Training.
Insurers want to know that your employees both understand the risks and know how to spot and manage them. The article talks about instilling a ‘baseline’ level of vigilance in your team. We’re not alone in arguing that a ‘baseline’ simply isn’t enough. If you’re not constantly keeping cyber security at the top of mind for your people, they are likely to slip up and let an intruder through. We’re only human after all.
If you really want to prove to your insurer that you are taking the cyber threat seriously, you have to include ongoing, good quality, NCSC-recognised cyber training . How do we know? Because our clients tell us that it makes a difference.
Not a ‘tick-box’ exercise
In the past, staff cyber training has largely been a tick-box exercise – certainly from the point of view of obtaining cyber insurance.
But as attacks go up, insurers become more vulnerable to claims. So they are only going to require more proof of serious intent, to help them minimise their losses.
So you may find that your current insurer will have more stringent requirements when renewal comes round – and that if you shop around, other commercial insurers will require much higher standards of staff training. If you can show you have that training in place, you are more likely to get the insurance you need – and you may even get a premium discount.
Not only that, we’re seeing increasing numbers of clients demanding that their suppliers have adequate cyber security measures and training in place.
Still not a ‘tick-box’ exercise
Even if your insurance provider’s requirements become more stringent, getting cyber training should never be seen as a tick-box exercise. It’s the only way to fortify your main form of defence against cyber attack – your people.
It’s still the case that between 90% and 95% of successful cyber attacks are down to human error. So by paying lip service to cyber training, you’re still leaving yourself vulnerable to attack.
Take it seriously. Find a training programme that focuses on what your people do, not just know, and is recognised by the National Cyber Security Centre as providing high quality training, and start putting it in place today. Not only will it help you if you’re looking for insurance – it could be the thing that protects you from a successful attack.
Sign up to get our monthly newsletter, packed with hints and tips on how to stay cyber safe.
Mark Brown is a behavioural science expert with significant experience in inspiring organisational and culture change that lasts. If you’d like to chat about using Psybersafe in your business to help to stay cyber secure, contact Mark today.