The landscape of cybersecurity insurance is shifting in the wake of a wave of high-profile ransomware attacks. Over the last five years, the U.S. has suffered more than 4,000 ransomware attacks a day, according to a U.S. government interagency report. It's a pandemic unto itself:
Ransomware attacks happen once every eight minutes, according to a recent New York Times article. This trend has driven greater adoption of cybersecurity insurance, but carriers are discovering that claims can prove extremely costly. As costs for carriers have soared, some insurers have reduced the ransomware coverage they offer. After seeing businesses, hospitals, and schools extorted by $5.5 billion in France, AXA, one of Europe's top five insurers, announced it would stop making ransomware payments altogether in its native country.
Ransomware hits mainstream headlines regularly, but it's not the only reason to get cybersecurity coverage. With the average cost of a data breach pegged at $3.86 million, according to Ponemon Institute research, it's vital to put time and resources into cybersecurity.
A strict cybersecurity posture reduces the risk of any incident and leads to lower premiums, so it pays to get your house in order before starting shopping for cyber insurance.
Here are a few steps to take before you start looking:
1. Assess the potential impact of a cyber incident.
A crucial starting point for any cybersecurity strategy is to conduct a comprehensive risk assessment to gain insights into your potential exposure. You must analyze the core components of your business and identify which are mission-critical. Compile a complete picture of your operations and current security policies, procedures, and expertise—the more profound your insight, the stronger the foundation you have to build on.
2. Strengthen your security policies.
Many best practices are a requirement for cybersecurity policies. Paying due care and attention to security can also safeguard you against punitive action from regulatory bodies in the aftermath of an attack. Vulnerability scanning is crucial for every organization to catch some of the most commonly exploited attack vectors, but it must prompt remediation. To limit access and reduce your attack surface, consider multi-factor authentication (MFA) and zero-trust policies. By ensuring that only authorized personnel have access to company networks and precious data, you will reduce breach risk and limit the damage any successful attack might wreak.
3. Educate your staff.
We know that malware usually gains access through email, so user awareness training specific to detecting phishing scams is one of the most effective ways to strengthen your defenses. The most common threat vector is phishing. Teach employees to understand common risks and reward the positive cybersecurity hygiene you want to encourage. Train them through simulated phishing exercises, so they develop skepticism and the ability to spot phishing scams. Make it easy for them to report any suspicious activity.
4. Plan for the worst case.
Regardless of the strength of your defenses, there will be security incidents, so it's vital to have a proper incident response plan in place and factor in remediation. By planning out precisely what must be done and who is responsible, you can massively decrease the time it will take and the overall cost of returning to normal. If you lack internal expertise, consider an outside provider of managed detection and response (MDR) service.
5. Test network defenses.
To verify that your cybersecurity posture is sound, you must test it. Engage a third party with expertise to perform penetration testing. They can advise on the most likely techniques cybercriminals will use and identify weaknesses in your network that need addressing. Insurance carriers are motivated by lowering their own risk; they will ask for this kind of documentation or perhaps run their security audit. With an extremely tight labor market, consider bringing onboard a virtual chief information security officer (vCISO) or C-level expertise in data protection or privacy.
Penetration testing will result in knowing the existing forensic investigation procedures you have in place are working. If you can prove your environment will pass a pen test, chances are good your insurance premium will be lower.
6. Ask the right questions.
When it comes time to start assessing the cyber insurance policy, make sure you ask the right questions. Delve into precisely what is covered and consider what coverage you need carefully. If anything isn't clear, ask your agent for confirmation. You may feel some aspects of a policy aren't required for areas where you have in-house expertise. Conversely, for places where you lack internal skills, you may want to make policy additions.
Make sure you understand what support, if any, will be provided during or after any security incident. It's also crucial to recognize everything that must be in place for a successful claim. Insurance policies require specific information to be kept up to date for a valid claim to be made, so make someone responsible for keeping your insurer apprised of any changes in your circumstances.
Ultimately, cybersecurity insurance can be enormously helpful in strengthening your defenses and aiding recovery from an attack. Still, it should never be thought of as an alternative to a robust cybersecurity strategy — you must prepare adequately to get the most benefit from a policy.