The landscape of cybersecurity insurance is shifting in the wake of a wave of high-profile ransomware attacks. Over the last five years, the U.S. has suffered more than 4,000 ransomware attacks a day, according to a U.S. government interagency report. It’s a pandemic unto itself: Ransomware attacks happen once every eight minutes.
This trend has driven greater adoption of cybersecurity insurance, but carriers are discovering that claims can prove extremely costly.
As costs for carriers have soared, some insurers have reduced the ransomware coverage they offer. After seeing businesses, hospitals, and schools extorted by $5.5 billion in France, AXA, one of Europe’s top five insurers, announced it would stop making ransomware payments altogether in its native country. In my experience working with insurers and studying the market, others have reduced coverage limits, raised premiums, and introduced far stricter policies with expectations that policyholders will adopt all responsible precautions, abide by strict compliance measures and set up exceptional security measures that are well-documented.
Ransomware hits mainstream headlines regularly, but it’s not the only reason to get cybersecurity coverage. With the average cost of a data breach pegged at $3.86 million, according to Ponemon Institute research, it’s vital to put time and resources into cybersecurity. A strict cybersecurity posture reduces the risk of any incident and leads to lower premiums, so it pays to get your house in order before you start shopping for policies. Here are a few steps to take before you start looking:
1. Assess the potential impact of a cyber incident.
A crucial starting point for any cybersecurity strategy is to conduct a comprehensive risk assessment to gain insights into your potential exposure. You must analyze the core components of your business and identify which are mission-critical and how these aspects could be compromised. Compile a complete picture of your operations and current security policies, procedures, and expertise. The deeper your insight, the stronger the foundation you have to build on.
2. Strengthen your security policies.
Many best practices are a requirement for cybersecurity policies. Paying due care and attention to security can also safeguard you against punitive action from regulatory bodies in the aftermath of an attack. Vulnerability scanning is crucial for every organization to catch some of the most commonly exploited attack vectors, but it must prompt remediation.
To limit access and reduce your attack surface, consider multi-factor authentication (MFA) and zero-trust policies. By ensuring that only authorized personnel have access to company networks and precious data, you will reduce breach risk and limit the damage any successful attack might wreak.
3. Educate your people.
We know that malware usually gains access through email, so user awareness training that is specific to warding off phishing scams is one of the most effective ways to strengthen your defenses.
The most common threat vector is phishing; the U.K.’s Department for Digital, Culture, Media, and Sport (DCMS) reports that phishing is behind 83% of attacks. Teach employees to understand common risks, and reward the positive cybersecurity hygiene you want to encourage. Train them through simulated phishing exercises so they develop skepticism and the ability to spot phishing scams. Make it easy for them to report any suspicious activity.
4. Plan for the worst case.
Regardless of the strength of your defenses, there will be security incidents, so it’s vital to have a proper incident response plan in place and to factor in remediation.
By planning out precisely what must be done and who is responsible, you can massively decrease the time it will take and the overall cost of returning to normal. If you lack internal expertise, consider an outside provider of managed detection and response (MDR) service.
5. Test defenses.
To verify that your cybersecurity posture is sound, you must test it. Engage a third party with expertise to perform penetration testing (inside and out) — they can advise on the most likely techniques cybercriminals will use and identify weaknesses in your network that need addressing. Insurance carriers are motivated by lowering their own risk; they will ask for this kind of documentation or perhaps run their own security audit. With an extremely tight labor market, consider bringing onboard a virtual chief information security officer (vCISO) or C-level expertise in data protection or privacy.
Penetration testing will result in knowing the existing forensic investigation procedures you have in place are working. If you can prove your environment will pass a pen test, chances are good your insurance premium will be lower.
6. Ask the right questions.
When it comes time to start assessing the cyber insurance policy, make sure you ask the right questions. Delve into precisely what is covered and consider what coverage you need carefully. If anything isn’t clear, ask your agent for confirmation. For areas where you have in-house expertise, you may feel certain elements of a policy aren’t required. Conversely, for areas where you lack internal skills, you may want to make policy additions.
Make sure you understand what support, if any, will be provided during or after any security incident. It’s also crucial to recognize everything that must be in place for a successful claim. Insurance policies require certain information to be kept up to date for a valid claim to be made, so make someone responsible for keeping your insurer apprised of any changes in your circumstances.
Ultimately, cybersecurity insurance can be enormously helpful in strengthening your defenses and aiding recovery from an attack, but it should never be thought of as an alternative to a strong cybersecurity strategy — you must prepare properly to get the most benefit from a policy.
Ready to take the next steps on Cyber Insurance?
Call us today at 774.204.0700 or email us at firstname.lastname@example.org to leverage
our expertise to make sure you are fully protected when you need it the most.
This article was originally posted in the Forbes Technology Council