How ISO 27001 can save you money on cyber insurance

The facts in a nutshell:

• In the face of ever new and more dire cyber threats, the cyber insurance policies that insurers offer can sound quite tempting.
• But when it comes to concluding policies, insurers can be restrictive. They calculate on the basis of the risk a potential client company bears. Companies who cannot prove that they are taking appropriate security measures will find it difficult to take out a contract and claim benefits in the event of an emergency.
• This is where ISO 27001 comes in: certification according to this standard forces you to get down to the nitty-gritty of your company. You have to set up rules which then require documentation and constant monitoring.
• Once you know that your company is in top shape, you will be prepared to face an insurer and save money – both when concluding your cyber insurance contract and in the event of an emergency.

What is cyber insurance?

Cyber insurance is there to protect companies against cyber threats, that is, against damage caused by external attacks on a company’s IT system or by internal mistakes that end up compromising security. Insurance covers both damages that affect the company directly as well as those suffered by third parties due to a failure of the company’s systems.

What are cyber threats?

Taken as a concept, the main cyber threat is the potential for cyber criminals to access a company’s data and IT systems and cause serious damage – up to and including the failure of critical systems or even complete and sustained disruption of business operations.

Horror scenarios that garner much public discussion include hacker attacks, Trojans and, above all, blackmail through ransomware, while current armed conflicts demonstrate that the digital world has long been the battleground for the existence of companies, states and political systems. According to a study by the IT industry association Bitkom, nine out of ten companies were victims of a cyberattack in 2021. The German economy suffered a total loss of €223 billion in the same year, which again constituted a record compared to the previous year.

But with cyber threats, sometimes the call is coming from within the house: failures of IT infrastructure, faulty software or inattentive or frustrated employees losing or stealing data are all examples of risks internal to a company itself. Then there is the threat of force majeure events, for example storms, floods or power outages.    

Don't let it get that far! Protect yourself against cyber risks today. We will be happy to support and advise you. Contact us and arrange a free initial consultation.

How expensive is cyber insurance?

The price range is a wide one, with cyber insurance incurring annual costs of between about £435 to £86,915. As is the case with all types of insurance, the actual price depends on the level of risk.

In the industry, the greatest emergency is considered to be an extended period of interrupted operations in a large company with central systems, such as the ERP system, on the blink and no emergency plan in place.

Companies should be cautious because this insurance class is relatively young and there are still no uniform names for the tariffs. The German Insurance Association (GDV) drew up model terms and conditions in 2017, but they are not binding. In addition, cyber insurance may overlap with other insurance policies, which can lead to double payments or even result in insurers passing the ball around in the event of an emergency.

On the whole, what should a cyber insurance policy include?

Cyber insurance should cover the main threats stemming from an external attack as well as a security-related internal failure of a company’s systems.

A good policy will cover direct damages caused by the attack or failure while also extending to the costs the company will incur to fully resume business operations – for example, costs for repairing and restoring IT systems as well as costs related to engaging external case analysts, lawyers and crisis managers.

How does ISO 27001 cover cyber security?

ISO 27001 defines basic principles on how to deal with the issue of information security. The standard serves to provide companies, regardless of size and industry, with a framework of policies, procedures and measures designed to mitigate threats associated with information security breaches.

This includes the following threats:

• Physical threats, for example fires in server rooms
• Threats posed by employees, i.e. theft of data or negligence
• Threats to systems and processes, e.g. through faulty software
• Threats from cyber crime

ISO 27001 lists measures for all threats – physical, technical and legal – ensuring that security measures are in place to protect data and information.

How can ISO 27001 certification mitigate cyber risks?

ISO 27001 certification requires companies to maintain a certain set of documentation on IT assets and process flows, both internal and external, for example for order processing. If you want to meet the requirements for certification, you have to know your company inside and out as well as the potential risks you face.

Read our blog article on conducting ISO 27001 Risk assessment in 7 steps to learn more about risk assessment and management.

Companies that want to avoid damages and be able to launch immediate and targeted measures in the event of failures or security breaches should bear in mind that documenting, monitoring, and continually developing their processes are essential steps.

If you’re already gathering all the information and setting up rules according to the standard in preparation for the first stage of certification, you’ll need to get to know your company inside and out. Doing this will not only help you avoid threats; it will also enable you to optimise your processes – an added value for your company that goes far beyond mere damage prevention.

Digitalisation is an often costly but important step towards making your company viable for the future, and now more than ever, in a time of wars that are also being fought in cyber space, every company should know what it’s doing here. It has long since ceased to be enough to take care of your core business and count on cyber insurance to step in at a pinch. Companies need to stop wasting time and prepare for emergencies without delay.

We recommend that you tackle ISO 27001 certification now, and we’re happy to provide you with further information and support along your path to getting certified.

What are the advantages of ISO 27001 certification compared to cyber insurance?

It’s better to prevent damages than to try and fix them later. Cyber insurance covers the eventuality of an emergency happening, while ISO 27001 certification helps your company avoid emergencies in the first place.

It seems obvious to assume that ISO 27001 certification is the basic prerequisite for cyber insurance, and not only for the process-related reasons we’ve discussed here. Certification also has financial benefits in terms of cyber insurance.

It’s been established that insurers calculate on the basis of the risk a company bears. So, in times like ours that are characterised by climate catastrophes, hybrid wars and global political upheaval, insurers have become extremely vigilant about their own risk. Companies who can’t show that they have ISO 2701 certification or other equivalent security measures in place will pay a very high premium for cyber insurance. Alternatively, they may not be able to take out a policy at all or may find it difficult to assert their claims against the insurer if things should happen to go south.  

Setting up a system for information security that is compliant with data security and privacy requirements, also called an information security management system (ISMS), is vital for a company’s survival – and it’s worth hard cash, too. The purpose of ISO 27001 is to provide the necessary guidelines for setting up an ISMS.

How do information security and cyber security interact?

Information security comprises all the measures that companies use to protect their information and data, including defining policies to prevent unwanted access to business or personal data.

This includes a wide variety of areas such as network and infrastructure security, auditing and testing. Every bit of data, every scrap of information and every piece of equipment that add functional value to an organisation and thereby allow business requirements to be met are considered information assets, all of which require protection. The objectives of information security are confidentiality, integrity and availability.

You can’t go online with any degree of safety unless you first protect your company’s information assets. In short: without information security, there is no cyber security. You can learn more about information security and cyber security in this article.

Conclusion:

Nowadays, if you want to protect your company against cyber threats by getting cyber insurance, you’ll need to be prepared – that means preventative measures as well as an emergency contingency plan in case things go south. Keeping your business in order, implementing appropriate measures to secure your information and data and being able to prove you’ve done so are the prerequisite to getting cyber insurance. ISO 27001 certification will simplify contract negotiations – in some cases, you won’t be able to have them in the first place without it.

To compensate for this increase in cyber threats, read our blog article on the 10 steps to Cybersecurity.

Would you like to find out how you can get ISO 27001 certification and save money as a result? We're here to help - contact one of our information security experts today.