Natalie Kress
We all, in our personal and professional lives alike, are nowadays almost entirely dependent on technology. As the use of IT, telecommunications technology and technology infrastructure expands and the divide between personal and professional life continues to blur, businesses are becoming more and more vulnerable to internal IT errors and not just external hacker attacks.
Any loss or manipulation of data may have serious consequences for any company, including financial and reputational damage or can even result to going out of business.
More companies are realizing the risks and are opting for cyber risk insurance cover, recognizing that even the best IT security cannot guarantee 100 percent protection against attacks. As cyber risk underwriters, we have to analyze each company’s bespoke needs separately.
No company is the same when it comes to IT integration and dependency on IT and telecommunications systems. So there are a lot of detailed questions to consider during the analysis phase: which scenarios may be most likely to occur? Are there particular weaknesses? Do hackers have a special interest in the company, because it stores a high amount of customer personal data, for example?
Those are the kind of questions we ask our clients. More generally, financial information such as turnover, profitability and number of employees is important in understanding the wider context.
Using risk assessment questionnaires, we are then able to analyze the security philosophy of the company. Examples of things we are looking for here include whether there are security guidelines within the IT department and how they are managed and executed. We want to know how information is secured and how access rights are managed. We will seek to establish whether there is virus protection already installed and backups in place. We will also want to understand network design and security, emergency and business continuity plans and physical security, as well as information on systems used and security settings and systems.
From the cyber underwriter’s perspective, each of these parameters needs to be assessed if we are to offer our clients a truly tailor-made solution.
We can only provide insurance cover if a certain level of IT security is already in place and there is a commitment to improving it, where necessary. But, of course, if a business provides us with the necessary information on the level of security of the company, then we are then perfectly equipped to help you do so.
Ultimately, it is important to remember that a cyber risk insurance policy should not be considered an alternative to IT security, but rather a protection of the balance sheet in case a crisis incident occurs.
Natalie Kress is based in Frankfurt and is a cyber risk underwriter for ACE Group in Germany.
