NCSC produces technical advice on cyber insurance

The first-ever technical advice on cyber insurance from the National Cyber Security Centre highlights the seven cyber security questions organisations should be asking if they are considering purchasing cyber insurance.

The guidance, following calls for expert technical advice on the growing cyber insurance market, urges businesses to consider seven key questions to help organisations make informed decisions about cover.

The advice encourages organisations of all sizes to think about how insurance might help in the wake of a cyber attack and contribute to existing risk management strategies. Questions range from what levels of defence are already in place to whether the insurance covers the aftermath of an incident.

Sarah Lyons, NCSC Deputy Director for Economy and Society Engagement, said: “Businesses rightly want to be as informed as possible before they invest, but when it comes to cyber insurance there simply hasn’t been enough information up to now. That’s why it’s so important for the NCSC as the UK’s leading cyber authority to offer our support by providing some clarity on the key issues to consider to ensure cyber security. Cyber insurance may not be right for everyone and it can never replace basic good security practice, but I would urge businesses to consider our guidance to help make the decision that’s right for them.”

The seven questions are:

1.     What existing cyber security defences do you already have in place?
2.     How do you bring expertise together to assess a policy?
3.     Do you fully understand the potential impacts of a cyber incident?
4.     What does the cyber insurance policy cover (or not cover)?
5.     What cyber security services are included in the policy, and do you need them?
6.     Does the policy include support during (or after) a cyber security incident?
7.     What must be in place to claim against (or renew) your cyber insurance policy?

The NCSC also highlights its Cyber Essentials scheme, which allows UK organisations to assess whether they have the measures in place to protect themselves from the most common cyber threats.