The guide (28-page / 4.3MB PDF) has been described as "the first of its kind" by the authors, which include Insurance Europe, the Federation of European Risk Management Associations (FERMA) and the European Federation of Insurance Intermediaries (BIPAR). It sets out how organisations should assess their cyber risk and potential vulnerabilities before contacting a potential insurer and where they might find this information, and provides information on the different types of cyber coverage that are generally available.
Publication of the guide coincides with new research into businesses' cyber security preparations and budgets by professional services firm EY. Their report (36-page / 2.6MB PDF), based on a survey of more than 1,400 professionals, found that while 87% of organisations had a limited budget for cyber security, larger companies in particular are budgeting more towards cyber security and resilience this year and next year.
"Our ambition is to support insurance buyers in selecting the insurance solutions that are best adapted to their needs," said FERMA president Jo Willaert, of the industry guidance.
"While recent cyber events have made organisations much more aware of the cyber risks they face and more conscious of the need to manage their cybersecurity exposure, many companies still struggle to translate their cybersecurity concerns into concrete action. The solutions typically offered by insurers do not only include insurance coverage, but also prevention advice and mitigation support in the event of a cyber-related incident," he said.
"Cyber insurers not only offer access to cyber experts in the event of an incident at discounted rates and with guaranteed availability, but also offer various risk management tools including access to online training or cyber simulations through their panel of providers," said Ian Birdsey, a cyber risk expert at Pinsent Masons, the law firm behind Out-Law.com.
Of the organisations covered by the EY survey, 35% said that they had sufficient cyber insurance to meet their needs. Respondents said that they would be unlikely to step up their existing cyber security protocols or protections unless they suffered a breach or incident with significantly harmful repercussions, with 63% saying that they would not spend more money on cyber security in response to a breach where no harm was caused. However, 76% of those businesses that had experienced a breach increased spending in response.
Birdsey said, however, that in his experience "companies of all sizes, from SMEs to plcs and multinationals, will embark upon a programme of security improvements following a security incident".
"This is often driven by regulatory concerns where an organisation may have had sub-standard controls at the time of an incident and they are keen to demonstrate that they have taken various steps to address any security issues post-incident to mitigate against the risk of a similar incident occurring in the future," he said.
The riskiest areas of vulnerability identified by respondents to the EY survey were careless/unaware employees, identified by 34% of respondents; outdated security controls, identified by 26% of respondents; and unauthorised access, identified by 13% of respondents. However, only 15% of respondents said that they had taken basic steps to protect against threats coming through third parties; while only 22% had conducted self-assessments of their risks and only 14% had ordered an independent risk assessment to be carried out.
"In my experience, the common causes of incidents including vulnerabilities and failings could have been addressed and eliminated in advance of an incident, such as implementing multi-factor authentication for accounts or warning and training staff to identify phishing attacks and attempted invoice payment frauds," said Birdsey.
The industry guidance states that the first step for any business wishing to implement some form of mitigation against cyber risk is internal research into its risks and how it manages them. It notes that this exercise could potentially lead to improvements into the way in which the business manages cyber risk, as well as providing it with the information it will need to fill out insurer questionnaires should it decide to purchase insurance.
The industry guidance also emphasises the role to be played by the senior management of the business in preparing to discuss its cyber insurance needs, particularly in regard to collating the necessary information from different parts of the business. According to the EY research, the person responsible for information security is not a board member at 60% of the surveyed firms, although 70% of responding organisations said that their senior leadership has a comprehensive understanding of cyber security or is taking positive steps to improve understanding.
Birdsey said that successful cyber risk management and mitigation "has to be both top-down and bottom-up" within an organisation.
"Neither will be effective unless leadership and management teams sponsor and drive best practice," he said.