ISMS according to ISO 27001 helps when taking out cyber insurance

Over the past six months, we have held numerous discussions with medium-sized organisations of various sizes that would like to take out new cybersecurity insurance or adapt existing policies. The consistent tenor that we have heard everywhere is that it is becoming increasingly challenging to obtain affordable policies at all. Insurance against cybersecurity risks is now considered a high-risk policy by many insurers. Consequently, many insurers are continuously tightening the conditions and requirements under which risks in this area can be insured.

We have derived the following core challenges from the above-mentioned discussions:

1. Rising premiums and deductibles: Due to the increase and severity of cyber attacks, premiums and deductibles are rising. Companies must therefore expect higher costs for insurance cover.
2. Stricter requirements for risk management practices: Insurers are placing increasingly stringent requirements on companies’ cyber security practices. Among other things, this includes regular security audits, the implementation of state-of-the-art cyber security practices and proof of a robust technical security infrastructure.
3. Adapting policies to new threats: As new cyber threats evolve, companies need to ensure that their insurance policies cover these risks. Adapting existing policies to provide protection against new types of attacks is challenging or even impossible if organisations cannot provide evidence of state of the art security practices.
4. Assessing your own risk profile: Organisations need to realistically assess their own risk profile to ensure adequate coverage. This includes assessing the probability and potential damage of cyber attacks. In particular, this shows that many companies underestimate the risks – and do not consider themselves to be a worthwhile target.
5. Negotiating with insurers: In a market characterised by rising demand and increasing risks, negotiations with insurers are becoming ever more challenging. Companies need to build up a strong negotiating position in order to receive an offer with appropriate conditions.

For companies that want to insure themselves against cybersecurity risks, the question arises: how to deal with these challenges? We recommend proactively developing an awareness of your own risks even before the first discussions with potential insurers or brokers. The best way to do this is with a methodical approach to managing information security. The international standard ISO 27001 describes a management system for this and is well suited to addressing the challenges mentioned. With the risk-based approach, the points mentioned above can be addressed proactively – regardless of whether or not the organisation opts for formal certification. However, we believe that a certificate from an accredited certification body is likely to become a prerequisite for ensuring that cyber security risks remain insurable.

Is your company also facing the challenge of taking out appropriate insurance? We would be happy to arrange a free initial consultation on the subject of information security.