“Highly recommend John Phillips. We’ve recently had to claim on our insurance due to the loss of our websites and the whole process has been SO efficient. Every company should have cyber insurance”
Historically cyber insurers have been keen to assist with incidents in any way they can but it is important to note that in order to be sure you can rely on the assistance of your provider you must comply with the terms laid out in your policy wording. This is the basis of the insurance contract which is essentially a promise to pay in the event of specified circumstances. If you fail to comply with any of the terms it is possible that your claim may not be paid.
It is important to know exactly what has been set out in your individual policy as this can vary from insurer to insurer. Your broker should be able to help you with this.
There are some general minimum standards you may be expected to meet and these could include Procedural and Security standards.
- Have a dedicated individual responsible for information security and privacy
- Perform background checks on all employees and contractors with access to sensitive data
- Perform background checks on all employees and contractors whose work involves critical IT infrastructure
- Restrict access to sensitive data (including physical records) to only those requiring it
- Have a process to delete systems access within 48 hours after employee termination
- Have written information security policies and procedures that are reviewed annually and communicated to all employees including information security awareness training
- You are compliant with, or not subject to, Payment Card Industry Data Security Standards (PCI/DSS)
- You are not aware of any circumstances which could give rise to a claim.
- You have a procedure in place to require independent verification of the legitimacy of payment instructions before amending bank details or making payment to a recipient for the first time.
- You use anti-virus, anti-spyware and anti-malware software
- You use firewalls and other security appliances between the internet and sensitive data
- You use intrusion detection or intrusion prevention systems (IDS/IPS) and these are monitored
- You perform regular backups and periodically monitor the quality of the backups
- Your computer equipment has up to date software protecting against viruses and malicious code which is updated at least once per month.
Access to your computer systems is authenticated by individual identification and passwords and all default passwords and codes are changed.
- Updates to firmware, software and operating systems are updated and completed to address identified vulnerabilities within 14 days if the threat is identified as critical, important or high by the provider.
This list is by no means exhaustive, and not every policy will apply every term, but it a good starting point to think about the terms you are expected to comply with and to speak with your broker if you have any concerns.