You're a business leader who is smart enough to know the importance of protecting your organization from cyber threats. You also understand that general liability insurance may not cover many of the costs you'll incur in the event of a breach. So, you took the wise route of applying for cyber insurance.
The problem is your business was denied coverage. But why?
In most cases, companies are denied cyber insurance due to flaws in their cybersecurity program. Implementing cybersecurity best practices can help your business course correct and get approved for cyber insurance at a lower premium.
The Current Cyber Insurance Landscape
As cyberattacks such as ransomware ramp up, threatening the data of businesses, insurers are reevaluating their approach to cybersecurity coverage, and premiums are becoming more expensive across all industries.
A report from the CyberEdge Group, an IT research firm, revealed that 89.7% of organizations experienced at least one cyberattack in 2021, up from 78.5% a year earlier.
According to S&P Global Market Intelligence, this higher-risk environment has resulted in written premiums for all cyber policies jumping to $4.61 billion in 2021, a 74.1% year-over-year increase from $2.65 billion in 2020.
As a result of increased risk, policy providers are making sure that companies comply with specific security standards before policy approval.
What Cyber Insurance Companies Want
When underwriting a policy, cyber insurance providers typically conduct a basic audit of your cybersecurity practices. They look for minimal security controls, including:
- Deployment of perimeter firewalls and antivirus software
- Usage of strong and complex passwords
- Regular installation of software patches
- A robust user management process
- Proactive hardware and software lifecycle replacement programs
- Implementation of physical security controls
- Encryption of mobile devices that interact with sensitive or regulated data
- Continual monitoring of network traffic
Whether your business is newly in the market for a cyber insurance policy or has recently been denied, your first course of action should be to conduct an internal audit of your cybersecurity practices. This way, there will be no surprises, and you can tackle any issues before the insurance company uncovers them.
A good cyber insurance risk assessment considers whether a potential business has:
- A written cybersecurity policy in place
- Basic security training for employees, teaching them to identify phishing attempts and fostering a culture of cyber threat awareness
- The ability to consistently review and respond to security monitoring alerts
- Multi-factor authentication (MFA) enabled across the organization, specifically for remote access, email, and privileged users
- Segregated backups, such as a 3-2-1 backup strategy, specifically including offline or cloud-based backups
- Endpoint protection, such as managed detection and response (MDR) and endpoint detection and response (EDR) services
- Enabled domain-based message authentication, reporting, and conformance, and sender policy framework
- A practice of checking for and managing open ports
Frankly, by not having these fundamentals in place, you're asking for much bigger problems than being denied cyber insurance.
Insurance companies want to know that your security team can detect and respond to breaches before serious damage is done, which minimizes the risk to them.
A mistake many businesses make is to ensure they meet the minimum regulatory compliance requirements and consider the job done. However, a bare-bones approach won't cut it in today's environment of continually evolving threats from bad actors. It's also critical to do technical control assessments to ensure your security controls are up to date.
Move away from the mindset of taking specific steps to meet a standard and adopt the practice of proactively improving your cybersecurity programs. This mindset shift will strengthen your company's defenses and make you a much better candidate for cyber insurance.
Cyber Insurance Is Not a Silver Bullet
The benefits of cyber insurance far outweigh the costs. However, getting approved will not solve all your problems. Falling victim to a cyberattack can devastate any organization, especially a small or medium-sized business.
It's important to remember that while cyber insurance will cover some of your costs in the event of a cyberattack, data breach, or other incidents, there's no guarantee that your cyber insurance company will pay your claim.
Moreover, cyber insurance will not cover the loss of trust and damage to your company's reputation. For example, if you have a cyber issue that results in a breach of sensitive customer data, your customers may lose confidence in your organization and take their business elsewhere.
While cyber insurance is a great tool to have and can be a critical component of your information security strategy, reducing your cyber liability will benefit you in more ways than one. By implementing the cybersecurity best practices outlined above, including regular cybersecurity assessments and a layered control framework, there's a good chance you'll have a lower cyber insurance premium and be much less likely to experience a breach.
Increase Your Odds of Cyber Insurance Approval
If you lack the internal resources needed to tighten the reins on your cybersecurity program and gain approval for cyber insurance, consider partnering with an experienced MSP that can help you implement preventative measures and establish the required documentation to improve your chances of being approved for cyber insurance.
VC3 can assess your current cybersecurity practices, outline what you need to do to secure your IT assets, and help you implement the processes that will increase your chances of cyber insurance approval. Get in touch with us today.