As Russia looks poised to step up its cyberattacks against the United States, companies and their founders should ask themselves: Do we have adequate cybersecurity insurance? Do we even have cybersecurity insurance? The answer to both should be yes.
Today, no organization is safe from malicious system breaches, and the threats are accelerating. Recently, President Biden warned all American companies to beef up their defenses against him, citing new intelligence on Russian-backed cyber threats. This comes after ransomware attacks increased in North America 104 percent last year.
Additionally, accelerating global digital transformation requires insurance protection. Not only do some vendors require it, but cyberattack recoveries are getting expensive. Companies must pay ransoms, as well as bear the costs of returning to normal operations, repairing the brand and more.
However, even if you have coverage, you are not guaranteed to keep it. Cyber attacks are becoming so frequent and costly that insurers are shedding existing customers, reevaluating risk metrics and setting high standards for new customers. Meanwhile, insurance companies are increasing premiums at an alarming rate.
Here are some ways to convince an insurer that it’s worth the risk and keep costs as low as possible:
What you need to qualify.
The first step is to assess your three states: your company’s enterprise network, your public cloud assets, and your remote operations.
In all three states, insurers will look for gaps in software and infrastructure, weak devices and systems. Too many cracks can leave you uninsured. They’ll also want to know about your security in relation to privileged user access: there’s a huge market for stolen admin credentials, and most ransomware succeeded because of compromised admin credentials. Ask yourself: are your cybersecurity tools defensive or do they offer true protection?
Insurers will examine your people and processes: If you’re a 10,000-employee company with a couple of cybersecurity experts, or if you have significant turnover, you’re a risk. The same goes for inadequate incident response and disaster recovery plans. According to IBM, the average cost of a data breach last year was $4.24 million. That’s the kind of number that can make insurers very selective.
If they find it deficient, it not only poses a higher risk of non-compliance, but it will also take longer to get back up and running. Customers are more likely to sue. Also, not all costs will be covered. For example, Black Baud revealed more than $6 million in recovery costs of which only about half was covered by cyber insurance.
How to keep your insurance.
Your main fear should be overconfidence. You may have invested in expensive security platforms. You may have done red team drills that prove you’re impenetrable. But these are not guaranteed. Remember that the Equifax breach was successful due to the delay in installing the patch. The Colonial Pipeline was brought down by an easy-to-crack password.
By their very nature, hackers are investigating weaknesses that you have overlooked. Even the red team’s attacks only address a certain period and set of circumstances. In reality, you must apply more rigor to maintain your insurance than when you qualified for it. It is imperative to establish a rhythm of communication and evaluation with your operators between renewals, for example, to determine the impact on compensation as you invest in cybersecurity tools. Both the insured and the insurance provider need to learn from each other.
Any lapse, especially one that is considered obvious, could intensify your insurer’s scrutiny. (It will also increase your premiums and your deductible.) If your renewal is cancelled, word spreads quickly. Other insurers will want to know who previously covered you and why you were disqualified.
Reduce your premiums.
Start with a practical approach to mitigate higher cyber insurance premiums and keep your insurers happy. Show that your CEO is engaged in simulation exercises and that your board is engaged. Show that you have continuity in the trained staff.
Ask your insurers what tools, controls or processes you could add to lower premiums. This requires working with them well in advance of the next renewal.
Make a case for your reduced risk, if there is one. If you’re a 50-bed hospital in upstate New York, you’re not the treasure trove for cybercriminals that the Mayo Clinic is. Bringing together comparables within your industry could be an argument for reductions.
Relationships with people are also important – get to know your broker and build a strong relationship. He or she will help you find carriers that align with the security posture, risk mitigation, and economics you’re looking for.
It is not clear how the war between Russia and Ukraine will influence all this. Premiums were already skyrocketing before the conflict. But cyberattacks are on the rise, as are insurance costs. As premiums rise, there is a temptation to opt for basic coverage.
Trading partners and supply chains now require you to have cyber insurance. Think of it as a cost of doing business in the Internet economy. After all, cyberattacks have bankrupted entire companies, both large and small. But no matter what policy you have, it’s also vital to stay proactive, doing everything you can to keep your systems secure and your costs as low as possible.