Cyber Insurance - Assessing Risks and Securing Your Future

Cyber insurance is not the most glittering side of cybersecurity, but it has certainly earned its place in today's security debate.

According to Statista, as of 2021, an average of 48 percent of organizations in selected countries worldwide had cyber insurance, with numbers being slightly higher for countries such as the U.S. (50 percent), Sweden (55 percent), and Austria (66 percent). Current predictions indicate the cyber insurance market will rise from its eight-billion-dollar evaluation of 2020 to a sizeable 20 billion U.S. dollars by 2025.

So why the hype? And given the prolific rise in cybercrime, is cyber insurance the panacea companies intend it to be? That's up to each organization to decide. Here are the facts.

What is Cyber Insurance

Cyber insurance (also referred to as cyber liability insurance or cybersecurity insurance) is financial protection offered in the unfortunate event that a company would sustain losses in data, revenue, or other resources due to a cyber incident or data breach.

It can also cover all the collateral damage and remediation costs, such as what the company pays for threat investigation, legal fees, customer communication, and refunds.

According to the 2021 Thales Data Threat Report, 45 percent of U.S. based companies have experienced a data breach in the past. The National Association of Insurance Commissioners (NAIC) published findings in 2022, which indicate that "the stand-alone cyber insurance direct written premiums for 2021 increased by 94.7 percent from the prior year."

As attacks continue to skyrocket and new AI-driven threats are introduced, the trend towards cyber insurance continues.

What Does Cyber Insurance Cover?

While specifics vary, the average cybersecurity policy covers expenses with remediating infected systems, restoring data, and returning them back to normal operation.  It also covers forensics to identify the root cause of the compromise so the environment can be hardened to prevent this type of incident from happening again.  Other expenses covered include legal fees, business interruption and loss of income, public relations related expenses, fines, costs of restoring data, customer notification, and credit monitoring services. 

How Much Does Cyber Insurance Cost?

When the business was new, it was a buyer's market with companies lining up by the dozen to purchase generous cybersecurity insurance policies. At the time, ransomware was an annoying pop-up that would bug businesses for a few thousand dollars and nation-states were content with physical espionage. That was 20 years ago.

Now, the tides have turned, and insurers are pulling in the reigns. Cyberattacks are no longer a far-distant matter of "if" but a certain matter of "when." According to the U.S. Government Accountability Office (GAO), cyber liability premiums steadily rose by 14 percentage points between 2017 and 2020 alone.

Per the GAO's 2021 research, the cost of the average cyberattack nearly doubled within a recent three-year period and providers have adjusted their offerings accordingly. Now, high-risk organizations like those in academia, health care, and the public sector can expect higher rates and more exclusions.

For example, commercial property and casualty policies could have included cyber coverage early on; now, cybersecurity insurance stands alone. And not only that; it's harder to get.

How Do You Qualify for Cyber Insurance?

In the current threat climate, cyber insurance companies now require enhanced security from clients. Most demand a minimum Multi-factor Authentication (MFA) requirement and 24/7 monitoring. Others raise the bar on everything from password strength to supply chain security to incident response, pen testing, backups, endpoint detection and user training.

While it isn't an exact science, there are five key areas cyber insurance providers are apt to focus on when assessing risk. I elaborated on them in our recent Cybersecurity Week Webinar Series in a webinar titled "Things Your Cyber Insurance Provider Will Ask."

1. Visibility: Environments are dynamic, and you need to maintain an accurate inventory of all your assets and their criticality. Providers are looking to ensure you regularly discover assets and data, have a classification system, and ensure they are being monitored around the clock. There are also solutions like penetration testing and adversary simulation to gain a different perspective of visibility. This is optional, but knowing how an attacker may get into your environment allows you to harden your network and demonstrates a higher level of diligence in the eyes of most providers.
2. Risk Management: Reducing your attack surface is an ongoing activity to proactively reduce the likelihood of a successful attack. The providers will want to understand your patching program and SMS-based Multi-Factor Authentication (MFA) deployed. Even better would be using MFA Hardware Tokens which is more secure solution than using SMS as well as phishing simulations as part of your ongoing awareness program.
3. Prevention Controls: Your security stack prevents the bad actors from getting in but also ensures the right people are collaborating with you and your assets. Most providers want Endpoint Detection & Response (EDR) or equivalent functionality. Some providers will specify certain EDR vendors need to be used or you risk being disqualified from getting coverage. There are lots of options for email security such as content scanning, sandboxing to detonate attachments, and DMARC so it's important to know all the capabilities enabled for your incoming mail as well as integrated Data Loss Prevention (DLP) to protect Personal Identifiable Information (PII) and Protected Health Information (PHI). If your data protection program uses an enterprise class DLP solution, it’s important to let the insurer know that along with any ongoing hardening of the network such as disabling unnecessary ports.
4. Detection: In security there is no such thing as 100 percent prevention, so you need to ensure you have mechanisms in place across your IT estate to detect unwanted activity in order to respond in a timely manner. Intrusion Detection Systems (IDS) and things like SIEM or equivalent are vital in finding active attacks. If you happen to be an organization with a more mature SOC program that includes threat hunting and a curriculum for upleveling the skillsets of your analysts, you will definitely want to communicate that to the insurer.
5. Response: Once you detect an attack, you need to address it quickly to minimize the impact of that successful attack. Your security strategy should have a documented incident response plan with stakeholders and their roles and responsibilities. Insurers will want to know about it along with your backup and recovery plan. Even better is discussing a recent test of these plans, what was learned, and the changes in the plans and hardening of your IT estate. This may include implementing automated response actions such as isolating a host or disabling a credential to prevent further damage.

On IBM i, requirements center on MFA, security information and event management, data encryption, antivirus and anti-ransomware, and exit programs.

Most of what insurers want to see is a strong, well-put-together security strategy. To that end, certain cybersecurity technologies are also recommended as "worthwhile" by the cyber insurance industry at large.

However, it's important not to forget; you're also the one shopping for the right fit. Remember to read the fine print regarding things like sub-limits, nation state attacks, and ransomware payments before you buy.

Considering The Pros and Cons of Cyber Insurance

While the American Property Casualty Insurance Association defines cyber resilience as a "societal obligation," the choice to invest in cybersecurity insurance is one that must be thoughtfully made by each organization. A company's risk tolerance will largely determine the strength and the limits of their policy needs, and some businesses may choose to forego coverage completely.

It might be seriously considered by a business that handles large amounts of PII, a public-facing firm with strict privacy law obligations, or a company still new in its cybersecurity strategy. Cyber insurance is also a strong consideration for mega-enterprises with vast amounts of data to keep and high stakes should a breach hit the press – or the pocketbook.

However, the cost of getting cyber-insured can be increasingly prohibitive. Companies need to determine their risk appetite, factor in the average cost of a breach, and decide if the counter-spend of cyber liability coverage is worth the cost – or potential cost savings.