The landscape of cybersecurity insurance is shifting in the wake of a wave of high-profile ransomware attacks. Over the last five years, the U.S. has suffered more than 4,000 ransomware attacks a day, according to a U.S. government interagency report. It's a pandemic unto itself: Ransomware attacks happen once every eight minutes.
With the average cost of a data breach pegged at $3.86 million, according to Ponemon Institute research, it's vital to put time and resources into cybersecurity. A strict cybersecurity posture reduces the risk of any incident and leads to lower premiums, so it pays to get your house in order before you start shopping for policies.
This trend has driven greater adoption of cybersecurity insurance, but carriers are discovering that claims can prove extremely costly.
As costs for carriers have soared, some insurers have reduced the ransomware coverage they offer. After seeing businesses, hospitals and schools extorted by $5.5 billion in France, AXA, one of Europe's top five insurers, announced it would stop making ransomware payments altogether in its native country.
In our experience working with insurers and studying the market, others have reduced coverage limits, raised premiums and introduced far stricter policies with expectations that policyholders will adopt all responsible precautions, abide by strict compliance measures and set up exceptional security measures that are well-documented.
Here are a few steps to take before you start looking:
1. Evaluate Exposure and Protection
These are some of the questions you should be asking yourself as you evaluate the risks your company faces:
Does your company collect or handle sensitive information like payment card information (PCI), personally identifiable information (PII), or protected health information (PHI)?
The more sensitive and regulated data that you collect, the more at risk your company is. It’s important to have strong, holistic risk management in place.
Is your customer information safe and secure? Make sure you’re following best practices regarding encryption, data storage, backup, and retention, as well as least privilege access.
Does your business rely heavily on confidentiality? The Defense Industrial Base and Healthcare organizations rely heavily on confidentiality and collect and store a significant amount of sensitive data, making them prime targets for cyber-attacks.
Do you have a website or a web application that interacts with customers and stores login or other sensitive data? Web-based attacks are extremely common. Regularly scan your website and web applications for weaknesses that hackers exploit. You can do this with an automated web vulnerability scanner.
What third-party vendors do you use, and how much access do they have to your IT infrastructure and customer data? You should hold your third parties to the same cybersecurity standards as your own organization as you are exposed to the threats that they are exposed to. You might want to find coverage for mistakes made by third parties as well as contractually require them to have their own cyber insurance.
Do you allow your employees to bring their own devices? If you do, you should have a BYOD policy in place and use a mobile device management solution. You should also train your employees on best practices when using personal devices for company purposes.
Before an insurer will underwrite a cyber policy, the organization must first demonstrate a complete understanding of their risk exposure, as well as the true need for protection. This knowledge validates an organization’s seriousness when it comes to cybersecurity and will allow insurers to create a policy that is most relevant to that business.
A comprehensive risk assessment, whether done in-house or by a third-party, will highlight gaps in security and highlight critical areas of risk that may need immediate attention. The assessment will help you prioritize actions and develop a strategic plan for ongoing risk management, including a timeline for any required actions. You can then share this information with a potential insurer to demonstrate that it takes information security and risk management very seriously.
2. Take Preventive Measures
No insurance policy is a complete security solution and is certainly not a license to be reckless. Policies are written to avoid covering high-impact scenarios that could easily have been prevented, such as an individual sending someone a large amount of money without a full vetting process or any secondary validation.
Like any insurance policy, cyber coverage is not a replacement for preventive security measures. Therefore, insurers will demand that certain steps be taken and measures implemented prior to even considering writing a policy. Organizations that are serious about addressing risks are those that implement a security framework that includes both technology and process controls to prevent breaches – and consider an insurance policy as a supplement to, rather than a replacement for, the risk-based security program they’ve implemented. The importance of having preventive measures in place before looking to ensure assets cannot be understated.
3. Assess Coverage
As with any type of insurance, there are many different types of cyber policies with varying levels of coverage. Therefore, it is vital that an organization be sure to read the fine print and understand just what each policy covers and, more importantly, what it does not cover.
Many cyber insurance policies do not provide coverage for the costs to replace or upgrade a computer system that was breached. While many cyber insurance policies cover both first party damages (ones that you directly incur, such as the cost to recover your data) and third-party damages (those that affect your customers or partners, which could lead to lawsuits you must pay to mitigate), talk with your insurer to learn the specifics of your policy.
Learn exactly which types of scenarios are covered and if there's a limit, as this will show you if your deductible is reasonable. For instance, if a type of cyber-attack that you think your company may run into down the road typically costs $10,000 to mitigate but your deductible is $12,000, then that policy would not be worth the investment.
Cyber insurance costs are variable and heavily depend on your exposures. By better securing your network, you can potentially keep your premium and deductible lower. Unfortunately, organizations often take out cyber insurance policies without performing this due diligence or researching the range of available policies, what they cost and what they cover. Because this is a new and evolving area of insurance, there are no standard policy terms or language for cyber insurance.
Ultimately, cybersecurity insurance can be enormously helpful in strengthening your defenses and aiding recovery from an attack, but it should never be thought of as an alternative to a strong cybersecurity strategy — you must prepare properly to get the most benefit from a policy.
If you are anyone would like to discuss this our other cyber topics please feel free to reach out to us Here.