Not only have the number of crimes increased, but the impact of these breaches has also become more severe. Criminals are gaining access to huge amounts of personal data from enterprises, including bank details and ID documents, as seen in the recent attack on Arnold Clark. Companies integral to the UK’s national infrastructure are also being crippled by cyber attacks, such as Royal Mail, which has seen severe disruption to its overseas delivery capabilities following a breach. Owing to the higher severity of breaches, the average cost of a single attack in the UK has reached a seven-year high at £4.56 million which has, in turn, had a major impact on both the rates and the requirements for cyber insurance. As the frequency and value of payouts has gone up, so has the price of cyber insurance – rising by 66% in the third quarter of 2022, following a peak increase of 102% in the first quarter. And, while policies will of course differ between insurers, there is an ever-growing checklist of requirements that organisations need to adhere to in order to be accepted. It is no longer an expectation that companies show they’ve taken appropriate action to protect themselves against cyber crime, it is a requirement. And those that can’t prove they have provided sufficient technical solutions and training to secure their network will be denied insurance or refused payment when making a claim. This comes alongside an increased number of exemptions from Insurers as to what they will, and will not, cover. One of those most notable of these recently was Lloyd’s of London’s decision to no longer protect against ‘state-sponsored attacks’, meaning that any attacks an Insurance company could claim were linked to a nation-state would no longer be covered. For businesses, this has led to a few questions. Firstly, what are the requirements to qualify for cyber insurance and what will be covered? And secondly, given the robust level of security your organisation will achieve through ticking off the checklist of requirements – is the cost of insurance actually worth it? Am I eligible for cyber insurance? Across the board, insurance is becoming increasingly challenging to get hold of. Not only are costs soaring, but underwriting requirements are higher and greater scrutiny is being placed on risk mitigation and security program maturity. Therefore, for businesses to be eligible for cyber insurance, they need to show that they already have robust security in place. While the specific requirements for cyber insurance will vary – based on the industry, insurer, the size of the business and the type of coverage required – there are some universal security measures that every business looking for insurance needs to have in place: • Endpoint Detection and Response (EDR) – As the number of endpoints (including laptops, mobile phones, tablets etc) continues to rise, so does the number of entry points for criminals. EDR is designed to monitor, discover, investigate and respond to threats across a network of endpoint devices and is becoming a must-have for those seeking insurance. • Multi-Factor Authentication (MFA) – This one almost goes without saying, as it has become a common part of day-to-day business operations, but having MFA in place for business networks, emails and applications is another requirement Insurers are looking out for. • Separate backups – As attacks become more advanced, having a single data backup is no longer enough, as this can potentially be compromised. Having multiple backups, in different locations, is another requirement for cyber insurance. • Cyber awareness training – Even the strongest cyber security measures can be brought down by a hole in the human firewall. Therefore, Insurers will need businesses to provide regular training, and assessment, to their employees to mitigate the risk of breaches through social engineering attacks. • Penetration and stress testing – As with assessments to show staff are trained against cyber threats, Insurers also need to see that cyber security tools can withstand the threats in the environment. Showing the results of penetration and stress tests can help alleviate concerns around a business’ level of protection. • Zero Trust Network Access (ZTNA) – Whilst ZTNA may not yet be a universal security measure, it is growing in popularity, and has become a widely accepted choice for providing secure network access - replacing outdated VPNs. It may not be something all Insurers are looking for now, but will likely become so down the line due to the increased security it provides. Having these measures in place can help towards eligibility for cyber insurance, however, actual requirements will vary on a caseby-case basis. Additionally, while F i nanc i a l Innov a t i on & F i nTech 42 Finance Monthly.