Buying cyber insurance

You can buy cyber insurance directly from an insurer or from a broker. You can find brokers specialising in cyber insurance through the British Insurance Brokers’ Association (BIBA).

Policies are generally available for SMEs with cover limits between £100k and £5 million, although significantly higher amounts of cover are available for firms facing more complex cyber risks.

During the application process, you will be asked a variety of questions about your business and cyber security practices. These include questions that are common to all types of insurance, such as information about your business, turnover, customers, insurance claims history, etc.

Some questions specific to cyber insurance that insurers may ask during the application stage include:

Cyber security policies and procedures

What current cyber security policies do you have in place?
Do you have a designated Chief Privacy or Information Security Officer?
Do you use encryption?
Do you use and implement multi-factor authentication?
Do you have secure remote access (access control procedures to prevent unauthorised access) to your systems and network?
Do you have anti-virus and firewall software?
Do you regularly apply patches to critical systems and to anti-virus / firewall software?
Do you have a Business Continuity or Disaster Response Plan which includes cyber-attacks (e.g. data breaches, security breaches, denial of service, ransomware)? Has the Plan been tested in the last 12 months?
Do you have any cyber security certifications, such as Cyber Essentials?
Have you experienced any previous cyber incidents?
Do you take any additional steps to detect and prevent ransomware attacks?

CyberSecurityPoliciesProceduresBuyingCyberInsurance

Data usage and storage

Do you collect, store or process data?
What type of data do you collect, store or process?
How much data do you collect, store or process?
What level of sensitivity is stored data?
Do you encrypt all collected, stored and processed personal and confidential data?
Do you comply with UK data protection legislation?

Back-ups

How frequently do you back-up your systems?
Is your back-up stored offline in a secure location with access restricted to authorised personnel only?
Do you use log-in credentials that are unique to the back-up and are stored separately from other log-in credentials?
Is your back-up disconnected from and inaccessible through the organisation’s network?
How quickly can you obtain data from your back-up?
How long would it take for you to fully restore your systems from your back-up?
How regularly do you test your back-up?

Website usage

Do you have a website?
What is your website’s URL?
How much reliance do you have on your website for generating revenue?

Card payments

Do you use card payments?
Are you compliant with the most recent Payment Card Industry Data Security Standard? If so, to what level?

Outsourcing

What IT / Data services are outsourced to third parties?
what due diligence do you perform for this?
Do you provide personal identifiable, sensitive or confidential information to third parties?