Step 1. Consider whether cyber insurance is necessary
Thinking about cyber insurance starts with the question as to whether your business could benefit from such cover. Or to put it another way: is your business heavily dependent on its digital operations? Will you be able to continue if tomorrow the proverbial plug is pulled from your digital infrastructure? When asked this question, many companies come to the conclusion that under such circumstances their operations would quickly grind to a halt. Everyone would still be able to archive and make a few phone calls, but it would soon become clear that a major business vein had been ruptured in the absence of a digital platform. “More than a yes/no question, this initial step is primarily an eye-opener,” Tom Van Britsom points out. “Consider it an incentive to contemplate what your digital service is all about and which supply streams are vital.”
Step 2. Take out a policy sooner rather than later
Thinking about taking out cyber insurance often starts following an initial claim or when a company takes a closer look at its risk profile. “When looking at the big picture, a company discovers which maintenance and which updates or adjustments are really necessary,” Tom Van Britsom adds. “In this kind of narrative, cyber insurance is often the last step, which is unfortunate. A recognisable comparison would be you lock the door to your house every day, leave the shutters down, take good care of your home, etc. but only in the final analysis, when a fire breaks out, do you start thinking about fire insurance.” Tom Van Britsom emphasises that it is important for companies to do their digital homework, but that should not prevent them from taking out a cyber policy. Even if this homework ultimately improves the risk profile and consequently lowers the premium? “This process can easily take a year or more,” Tom Van Britsom estimates. “It is not a good idea to postpone an important decision such as taking out insurance until the situation is ideal. In any case, your organisation will be involved in a continuous process of fine-tuning and twelve months later there will already be new digital challenges awaiting you.”
Step 3. Be transparent about the situation to be insured
If you decide that a cyber policy is needed, it is vital to immediately outline the situation to be insured with maximum transparency. Provide a true picture of your company, the IT processes and digital dependence on suppliers and customers. “It is crucial to discuss this with the broker and insurer,” says Tom Van Britsom. “Where you operate, what your IT infrastructure looks like, what website you have, … these are elements that need to be clear when underwriting the risk to be insured. With this information, we as risk consultants can point out potential risks and areas that need specific attention.”
Step 4. Compare quotations (and not just the price)
About ten cyber insurance providers operate within the Belgian market, all deploying specific terms and conditions, risk appetite, experience and underwriting policies. Some insurers focus on large companies, others on SMEs. Or they may target certain sectors and refuse policies in other industries. In order to assess properly what is on offer, it is important to request and compare quotations based on your profile. “Don’t just do it on the basis of price, but also pay attention to the quality and experience of both the insurer and the broker,” Tom Van Britsom advises. “As a broker and risk consultant, we help to analyse certain factors properly: how long has an insurer been active on the market, how do they assess the risk and how does claims handling work? These are also important when considering the proposals.” A typical example is the helpline that an insurer links to a policy. It is essential to look at how it works, how well trained the experts are and how much experience (claims) the insurer has. “This expertise is not only useful to assist a company immediately when a loss occurs but is also significant when it comes to the financial settlement and the assessment of what exactly went wrong,” Tom Van Britsom adds.
Step 5. What guarantees must I subscribe to?
A cyber policy consists of various guarantees and in practice companies often subscribe to all guarantees when taking out cyber insurance cover. Would it not be more logical to eliminate any cover that has no impact on your business and thus reduce the premium? “That seems logical, but it does not work that way,” Tom Van Britsom explains. “Each guarantee has a certain weighting based on the risk. If you don’t have an online payment platform, the insurer will not attach a great deal of importance to the guarantee for this. As a result, this guarantee will not have much impact on the pricing. In other words, there is not much point cutting such guarantees.” Tom Van Britsom does point out that companies are increasingly focusing on social engineering fraud, such as invoice or CEO fraud. More and more entrepreneurs want to fully insure this risk. “If this kind of fraud takes place without breaking into the system, for example through fake e-mails, then it needs to be included in the fraud cover. We have noticed that customers often take out a separate fraud policy for this.
Step 6. How do I determine the insured capital?
One of the most complex steps on the road to an ideal cyber insurance policy for your organisation is to determine the capital you include for insurance cover. Not an obvious estimate, but Tom Van Britsom has a clear rule of thumb. “Ask yourself how much capital will be needed to reactivate your business if it has been hacked and come to a standstill,” he states. “How long will it take to set up the IT infrastructure again and get back to work? That is a good measure to estimate lost revenue and thus determine the insured total.” Moreover, the amount of data managed by the company plays a part and ransomware also affects the estimate, although it is of course a matter of guesswork beforehand as to the extent of any ransom demands.
Step 7. Communicate internally
Once the cyber policy is in place, it is important that not only the risk manager and IT department are aware of it. Spread the word that the cover exists within your organisation, explain what the procedure to be followed in the event of an incident looks like and link this to actual data: the helpline, the reasons for contacting it, the data that is required, etc. ” The CFO who takes out the policy is often not the person employees need to contact first in the event of a claim,” Tom Van Britsom adds. “Communicate the procedure very clearly, so that there can be no doubt if an incident occurs. In the best-case scenario, such a plan already exists and the cyber cover is the final component, although the policy can also be an incentive to devise a successful scenario.”
Step 8. Keep your policy up to date
An acquisition, significant growth or other developments can change the insurance situation after a while. If a company’s turnover increases, for example, it may be necessary to insure more capital. If a new branch opens, it is important to disseminate communication about the cyber policy. “There is definitely a role for the broker here,” Tom Van Britsom explains. “We continuously consult our clients about this and negotiate with insurers on that basis. A cyber insurance policy requires a great deal of maintenance.”
Step 9. Involve suppliers
It makes sense for a company that works digitally to also include customers and suppliers in the digitisation process. Safeguarding digital health is, therefore, linked to the extent to which your suppliers in particular can guarantee cyber security. “Indeed,” says Tom Van Britsom, “your organisation may be fully protected, but if your supplier is not, then you are as weak as they are. Cyber security is an element that companies can incorporate in their contracts, for example, by asking suppliers to take out a policy themselves. It is increasingly common for contracts to require continuity through backup plans and cyber insurance.”