Email Security

    How to Clear the Rising Bar for Cyber Insurance
     
     

    Cyber insurance premiums have been skyrocketing, so companies need to pull the right levers to control their cyber risk and manage cyber insurance costs

    by Neil Clauson

    Key Points

    • Businesses have a growing need for cyber insurance.
    • But cyber insurers are raising rates and tightening terms.
    • Solid cyber defenses help applicants get more affordable coverage.

    Cyber insurance providers have become more demanding — charging bigger premiums, setting higher deductibles, and requiring better evidence of risk management. But they’re also providing less coverage. How can your business get the affordable insurance coverage it needs in this changing environment?

    Cyber Crime Wave Strains Insurance Industry

    What’s driving higher cyber insurance costs? Lloyd’s, the insurance underwriting giant, recently issued the following market bulletin: “The ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb.”

    In addition to paying more, applicants must meet increasingly stringent cybersecurity standards. Due to losses, insurers are tightening their underwriting terms, carefully analyzing all cyber insurance applications, and asking more questions than ever before about an applicant’s cyber operating environment and risk controls.

    Certain cyber damages are not typically covered, such as the loss of intellectual property or future profits. Significant, yet intangible, losses to your brand and reputation are also not covered.  Coverage may be capped if the attack involves ransomware or not available if it’s a state-sponsored attack.

    Consequently, even as more companies are looking to insure against ransomware and other cyberattacks, security professionals have become less confident in this safety net. 

    Companies Need to Improve Access to Cyber Insurance

    Depending on company size, industry profile, desired coverage, risk profile, and other factors, companies may pay annual premiums ranging from under $1,000 if it’s a small business to hundreds of thousands, if not millions, of dollars if it’s a major multinational. In return, companies want protection against losing 10 times that amount or more in a cyberattack. 

    Many businesses no longer consider it an option to do without cyber insurance. However, insureds lacking basic cyber hygiene can expect to see continued significant premium and retention increases, coverage restrictions, and/or overall insurability challenges.

    Companies seeking to acquire or renew cyber insurance policies under the most favorable terms possible need to develop good hygiene in a way that presents a clear and consistent story to insurers. It’s a good idea to think like an insurer focused on business losses when assessing your risk profile, including:

    • Your industry’s profile.
    • The volume of sensitive data you store and process.
    • The potential impact of a cyberattack on business operations.
    • Your company’s score on public cybersecurity rating services.

    Insurance providers are upfront about their growing list of cyber requirements surrounding companies’ people, processes, and technology, inlcuding:

    • Multifactor authentication
    • Email filtering and web security
    • Secure backups
    • Conditional access management
    • Endpoint detection and response
    • Patch management
    • Incident response plan
    • Cybersecurity awareness training
    • Hardened systems
    • Monitoring
    • System replacement at end of life
    • Supply chain risk management

    In addressing the items on this list, Mimecast's human risk management platform and human-risk-centric security and awareness training represent front-line defenses, since most cyberattacks originate in malicious emails. We also recommend maximizing your controls with tactics including API integration for threat sharing and orchestrated response across your cloud email and collaboration platforms, numerous endpoints, and multiple point security solutions.

    Among other steps, consider following an established risk framework, such as the Factor Analysis of Information Risk (FAIR) model. And conduct tabletop exercises to continually test and strengthen incident response.

    The Bottom Line

    Rising cyberattacks have driven cyber insurance rate increases and tighter limits on who and what will be covered or not. Assess your cybersecurity people, processes, and technology, and then consider which levers you can pull to reduce the frequency and severity of attacks. From this position of strength, you’ll be better able to provide the assurances that insurers require, manage your premium increases, maximize your policy limits, and overall coverage, and minimize your financial risk.


     

    **This blog was originally published on October 3, 2022.

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page