Security assurance firm NCC Group has partnered with specialist insurance broker Oval to offer UK-based SMEs what they believe is the first affordable cyber-insurance policy for the sector sold as an optional part of a network assessment service.
Marketed under the banner ‘Cyber Assured’, the firm hopes it can extend the idea of protecting against a variety of cyber-events to a sector that has traditionally considered such protection out of its price bracket.
Oval will offer protection* from £500 ($780) per annum for £50,000 of cover, although this price will also require NCC Group to carry out an annual £3,500 vulnerability assessment and online survey to spot potential security weaknesses which adds to the final cost.
If NCC's assessment uncovers specific problems, these might need to be fixed first for the insurance to be offered at a given level but as with any other form of insurance that would be between the organisation, the insurer and the underwriter.
According to NCC Group assistant director Daljitt Barn, who is also the chairman of the Cyber Risk and Insurance Forum (CRIF), the definition of SME covered firms up to £10 million turnover, with a higher tier of insurance for those up to a £50 million annual turnover.
Despite these provisos, NCC Group is convinced that SMEs can find value in applying the concept of insurance as a way of managing risk.
“Many SMEs have been ignoring the threats to their IT infrastructure as they simply don’t understand their exposure. They assume they aren’t viable targets, and they won’t consider insurance due to the cost,” said NCC Group CEO, Rob Cotton.
“Cyber Assured will not only raise the standards of their [SME] defences, but also provide peace of mind through an affordable insurance option. Between NCC Group and Oval we are demystifying the cyber risk and providing a complete package of protection.”
The policy covers for losses from data breaches, he said, quoting Ponemon research putting the costs of this type of issue at up to £86 per record to clean up. Such breaches would not be covered by any conventional insurance policy. Other insured events would include cyber-extortion and costs associated and services going offline, for instance aas a result of a DDoS attack.
Historically, doubts have been raised over whether the wider market for cyber-insurance is viable given the tiny number of firms offering products and the high cost of insurance. NCC’s solution of tying insurance to assessment services is both clever marketing for its own services but also a novel way of solving some of these problems.
Others have argued that a functioning insurance market mitigating cyber-threats could act as a good influence on the security behaviour of firms willing to invest in mitigation to reduce premiums.
* The Cyber Assured policy is subject to underwriting approval by CFC Underwriting Ltd.