Insurance companies are imposing stricter requirements for obtaining cyber insurance coverage, including the need for encrypted backups, regular recovery tests, and a clear business continuity plan. Insurers will also evaluate the applicant's history of cyber incidents, IT budget allocation, update deployment speed, and cloud service reliance. Companies now face higher premiums and more detailed assessments to ensure adequate cyber risk management.

1. REQUIREMENTS FOR
CYBER INSURANCE

2. Insurance companies are setting
more stringent requirements to
obtain cyber insurance cover.
We spoke to several to review their
application questionnaires.
Here is a summary of what’s changed
and what you need to get cover.

3. Are your backups separate
from your Production data
Insurance companies have quickly realised that
paying out isn’t sustainable. They responded
by:
• Increasing the cost of cyber insurance
cover
• Having more stringent assessments on
a policy holder’s ability to recover without
claiming
• Discouraging paying ransoms
?

4. Are your backups encrypted
Whether they’re on a removeable media like
tape or in a remote data centre somewhere,
you don’t want them to be readable to anyone
who finds (or steals) them.
?

5. Have you tested your
recovery
Insurers want to know if you’ve actually
tested recovering.
They may want evidence of the recovery.
In the documentation we’ve seen from
insurers, tests must have been in the
last quarter, 6 months, or year.
?

6. Do you have a Business
Continuity Plan
This doesn’t necessarily mean tones of documen-
tation. Plans should always be appropriate to the
organisation they’re for.
Smaller, less complex organisations don’t need
overly complicated plans. In fact, short, clear and
concise plans are better.
?

7. Have you had a ransomware
attack or data breach
Insurers will be checking on your history and
record of attacks and outages to see if you are
a sensible bet to insure.
If you have a track record of attacks, breaches and
outages it will be harder and more expensive to
find cover.
?

8. What is your annual
budget for IT & Cyber
Throwing money at your cyber defences
doesn’t guarantee you’re well protected but
insurance companies will use this answer as
a simple sanity-check to see if IT and cyber
is being adequately resourced.
?

9. How quickly do you deploy
critical updates
Staying up to date with software and patches
is one of the fundamentals of good cyber
security. You don’t need a big budget to do
this well, you just need to have the process
in place and the discipline to stay on top of
updates.
In the questionnaires we’ve seen, options
range from 24 hours up to 1 month.
?

10. What cloud services do
you use that are essential
to your operations
Yoursupply chain is critical foryou to deliveryour
services.As cloud adoption has increased, we
have all become increasingly reliant on key
cloud services like Microsoft 365, accounting,
CRM and ERP systems.
We’ve not yet seen detailed questions about
the resiliency of your systems in these cloud
services but expect more detailed investigation
here in future.
?

11. How often do you audit the
security of your cloud and
other service providers
Your ability to influence suppliers like cloud
providers or service providers is less than the
control you have over your internal systems.
But, if your suppliers can’t meet your needs,
you can take your business elsewhere.
It is important thatyou know how these suppliers
operate and treat your data. Insurers expect
you to audit your suppliers at least annually
or every 6 months.
?

12. CTA placeholder
Get in touch to find out
how to reduce your cyber
insurance costs.
www.databarracks.com