As the cyber threat landscape continues to evolve, so do the security solutions around it, and in the same way, cyber insurance is evolving too.
This is because cyber insurers have no way of preventing attacks, one way insurers in the UK try to reduce risk is by mandating certain cyber tools, such as Cyber Essentials (and Cyber Essentials Plus), Multi-Factor Authentication (MFA), and security awareness training.
Cyber Essentials and MFA are security controls that businesses can implement to protect their user devices and accounts, but security awareness training exists to help users understand when they are being attacked.
Security awareness training is required because insurers have realised that users are the weakest link in the security chain, not because they are ignorant, but because they are not trained to identify attacks.
It is also worth noting that insurers are quietly updating policies to make it more difficult to make a claim when user error has resulted in an attack or loss of funds. Things like "independently verifying" payments before they are made are a way for companies to ensure that processes are in place for employees to follow, such as contacting a supplier to confirm that new payment details are legitimate.
Without having these processes in place, insurers are unlikely to pay out, and in cases where claimants have taken legal action, the courts are siding with the insurers. What this means to me is that, as always, you need to cover as many bases as possible.
Put security in place, it will SAVE you money.
Get insurance, it could provide financial support in the event of a breach.
Have a joined-up approach to security; instead of relying on insurance or security tools, make sure you have processes and policies in place that ensure staff understand what they need to do to avoid incidents.