Facing the prospect of major financial fallout from an attack, executives have turned to cyber insurance. Insurers are issuing large sums of policies, and the amounts of protection available are increasing.
Despite the increase of cyberattacks, some companies are buying less cyber insurance or not buying any at all, as an economic strain from Covid-19 has caused some of them to look at cyber insurance as a luxury. Cybersecurity insurance premiums vary by carrier. Most carriers only offer limited coverage while other firms will offer full cover policies.
And while more attacks could increase demand, they also create a supply problem, making insurers wary of providing cover and reinsurers less interested in backing cyber liabilities.
For companies looking to bring more cyber liability insurance into their risk management practices — or buy for the first time — a bit of planning is necessary. After all, we’re looking at an environment in which claims are increasing and insurers lack the historical data and overall experience to develop the analytics they’d use in more mature lines of business, such as property. Cybersecurity risks have changed the business landscape for insurance providers. Similar to fire and flood, carriers develop risk models knowing at some point these disasters will happen. Carriers have adopted their business models to include business impact assessments for possible attack attacks within their clients networks.
Among small businesses with fewer than 250 employees, the average reported cyberattack cost was about $25,600, according to a 2021 report from Hiscox, an insurance provider. That amount could be enough to shutter some small firms.
What is required for cybersecurity insurance?
Organizations are required by most insurance carriers to ensure the secure deployment and upkeep of the following security capabilities and adaptive controls:
- MFA
- Anyone with Privileged access
- Domain accounts
- Accounts with access to sensitive on-premise resources
- Endpoint detection and response (EDR)
- Anti-virus with heuristics capabilities
- Behavior detection
- Exploit mitigation
- 24/7 security monitoring
- Security governance and policies
- Employee training
- Incident response and awareness plans
- Secure VPN or zero trust access
- Patch management
- Email security
Protecting Your Organization: Before and After the Breach
Penetration testing engagements provide identification of security deficiencies and analysis of their impact on your business. By mimicking cyber-attacks, analysts attack your network to find external weaknesses, prioritize potential risks, and provide suggestions on how to cost-effectively ensure your sensitive information is secure.
Why would your company need a penetration test?
“Better trust what you know than the reality you don’t” describes the truth of penetration tests.
With the rise of cyber attacks on the firms’ databases, services, networks and bank accounts, assessing a company’s cybersecurity before hackers do is crucial for every business. One security breach can cause the permanent loss of clients and stakeholders’ trust, and in some situations, can even lead to a bankruptcy. One of the basic steps to protect your company’s data from unwanted eyes is to perform a penetration test.
What are the benefits of performing a penetration test?
Organizations often have thousands of devices connected to the network, but do not know what devices are exposed to the Internet. Pen testing is used to test applications for vulnerabilities.
It’s important to perform pen tests regularly because you want to catch potential issues before they become an issue.
** Pen testing should be a work stream or sprint within the organization’s overall security strategy, not a once a year engagement.
Frequent testing and scanning could assist in lower cyber insurance rates. This, however, is up the carrier of the policy, not industry wide.
- Security testers take anywhere from two weeks up to one month to conduct their tests.
- More than half of security testers spend less than one day conducting their tests.
- Only 13% of security testers spend over one month conducting their tests.
- Companies that cannot conduct regular security tests are missing out on critical information that could save lives, money and reputation.
- Cybersecurity professionals who understand how attackers think will be better equipped to stop them.
- Organizations that cannot address blind spots in their defenses are putting themselves at risk.
How is cyber insurance aligned with risk management?
The loss, compromise or theft of electronic data can have a negative impact on a business, including the loss of customers and revenue. Businesses may be liable for damages stemming from the theft of third-party data. Cyber liability coverage is important to protect businesses against the risk of cyber events, including those associated with terrorism. Cyber-risk coverage can assist in the timely remediation of cyber attacks and incidents.
In 2011, Sony’s PlayStation Network was breached by hackers, exposing personally identifiable information (PII) of 77 million PlayStation user accounts. The breach prevented users of PlayStation consoles from accessing the service, an outage that lasted beyond 25 days. Sony incurred over $171 million in costs related to the breach. Portions of this cost could have been covered by a cyber insurance policy, but Sony did not have one in place. A court case ruled that Sony’s insurance policy covered damage to physical property only, leaving Sony to incur the full amount of costs related to cyber damages.
Insurance Rules constantly change with the times
- Most insurers now require proof that a data breach response plan
- Over 45% of cyber insurance plans will not be renewed in 2022 because firms do not have proper security software, plans and processes in place.
- Some insurance carriers require the companies they insure to have regular penetration testing and security audits by 3rd party firms with no association to personnel or the company in any form.
- Cyber insurers often refuse to pay policyholders who don’t demonstrate ‘reasonable care’ for their security program.
Tomorrow’s cyberattacks may not look much like today’s — as evidenced by 2020s spate of ransomware compared to the breaches of 2015 to 2017. For insurers to respond to this unique threat, they’ll have to become comfortable allocating capital to the sector, and that comfort will vary over time, until the industry’s body of knowledge becomes sufficient to treat cyber like mature classes of business.
Until then, companies will need to invest in protection while working with their insurers to increase the types and amounts of insurance available.
