What you need to know about cyber insurance
What is cyber insurance?
While there are a variety of policies, providers, and cyber insurance offerings in the market, at its foundation, cyber insurance is an insurance policy that organizations purchase in the event of a successful cyber attack or data breach. As home or car insurance helps protect you when the worst happens by helping with the cost of recovery; for cyber insurance, the policy will reimburse the organization for financial losses sustained from the attack.
Why is cyber insurance necessary?
In today’s cybersecurity environment, no organization is immune to the threat – and fallout – of a cyberattack; for cyber insurance, the most common type of attack that requires a payout is ransomware. It’s no wonder why ransomware attacks occur every eight minutes, with an average cost in the millions. Most of these attacks are due to human error in some way, and third parties are a common source. Because of this dynamic, Marsh & McLennan estimates that 80% of their customers are now asking for cyber insurance, up from 40% only a few years ago. All industries and types of organizations are being targeted in these attacks, and though organizations can defend and prepare as much as possible (and indeed are required to by insurance providers and regulations), there’s always the risk that an attacker will still be successful. It’s similar to how you take care of your house: you do everything you can to prevent a fire from breaking out. You blow out candles when you leave the house, turn off the stove when not in use, remove lint from the dryer and so on, because no one wants to deal with the consequences of a burned home and belongings. But, just in case it does happen, home insurance helps you with the cost of recovering your belongings and rebuilding your house. In the same way, if your organization is successfully attacked, you’ll be happy to have cybersecurity insurance to help with the cost of those losses.
Why is getting and renewing cyber insurance so difficult?
If you looked at cyber insurance a few years ago, it was comparatively easy to get coverage as a simple add-on to your policy. Now, it can be incredibly difficult and expensive to get insured and to maintain coverage. Why? Cyberattacks – specifically ransomware – are now frequent and sophisticated, and the financial losses from an attack are sky high. Because of this new “normal” and trying to stay solvent, insurance providers want to minimize how much and when they’re paying out. Premiums and exclusions have increased, while coverage scope has decreased – plus the underwriting process is rigorous and lengthy. Providers require security best practices and increasingly specific and precise controls to be in place before they’ll even consider coverage. They want to see, and even require, defenses to be in place to prevent attackers from successfully knocking down your door; they’re looking to see how easy or difficult it is to attack your organization, and determining coverage and premiums based on that.
What do you need in place to qualify and keep premiums low?
Cyber insurance is a good back-up to have in place, yet it’s difficult to qualify for or renew. What are providers looking for specifically to make their coverage decisions? Broadly speaking, they are looking at technology solutions you may have in place, what cybersecurity education you are doing with your users, and the processes and standards you have in place. Let’s dig into the specific technology and security controls many insurers are looking for.
- From a technology perspective, many providers are now requiring:
- Security and management of privileged users and access (often with a PAM solution)
- Credential vaults for secured privileged credentials
- Multi-factor authentication for users (including privileged users), workflows, employee remote access and systems
- Security and management of third-party users and remote access – including multifactor authentication for those external users and remote access based on Zero Trust
- Enforcement of password complexity for user credentials
- Timely removal of access for users no longer with the organization, and enforced least privilege access for current users
- Endpoint detection and response
- Secure remote access methods
- From an education and preparedness standpoint, many providers want to see:
- Regular cybersecurity awareness training and education for all employees
- Proactive plans in place to prevent, detect, and respond to attacks and cyber threats, including incident response plans and secured recovery backups in the case of an incident
- A regular cadence of timely patches and updates – as soon as they become available
While the controls that insurers are looking for are increasingly specific, they are all also security best practices that will help defend and protect your organization against a cyberattack. Cyber insurance is something you never want to use; while it does help organizations recover losses, recovering from a ransomware attack is still expensive, time consuming and can have a substantial impact to the business and operations. Being proactive with the security controls you implement, while time and resource intensive, can help you save in the long run – both with your cyber insurance premiums and against a ransomware attack.