Can You Meet the Evolving Cybersecurity Insurance Requirements?
As you’re working toward achieving robust cybersecurity, the subject of cyber attack insurance coverage and cybersecurity insurance requirements is sure to enter the discussion. Maybe you’ve already delved into this topic, as cyber insurance has become an essential cornerstone of every information security program. Many overriding factors will affect your ability to obtain and retain the coverage you need at a reasonable rate—and a successful approach is tied closely to a comprehensive cybersecurity posture.
Short on time? Scroll to the bottom for the cliff notes.
Coverage Denials and Claims Rise
With cyber threats like ransomware continuing to track upward and the supply chain and third-party vendors under direct attack, the cyber insurance market is on high alert, and their risk model for cyberattack insurance coverage is changing. Some insurers have pulled back on their coverage, and pricing has increased from 40 to 60%.
With this sea of change comes a dose of reality: premiums are much higher, and cyberattack insurance coverage may be reduced or denied altogether. Claims have become more complex, and in addition to addressing ransomware payments, it must now consider IT forensics, legal costs, business interruption, and funds for data restoration. Businesses will find themselves, their risk profiles, and their customers under scrutiny, with detailed assessments and other documentation necessary to be considered for coverage.
The New Reality of Insurance
A 2022 Coalition Cyber Insurance Claims Report shows that while cybercriminals continue to expand their techniques, phishing and social engineering remains the most common tactic for cybercrime. According to the report, cyber insurance will become harder for many businesses to access as the insurance market continues to harden.
While it’s up to the underwriters, there are steps to take so you’re less likely to be denied during the cyber insurance underwriting process. Be prepared to prove your cybersecurity program, which includes assessments, testing, policies, training, detection, and response, is in line with your potential risk. You’ll also likely be responsible for providing detailed data, questionnaires, and other information to insurance companies.
Want to find out how an expert implemented a successful employee security awareness program?
Not Having Cyberattack Insurance Coverage is Risky Business
Operating without cybersecurity insurance is not an option, and organizations must protect themselves from legal consequences. While the costs are becoming increasingly expensive for both insurer and the insured, doing nothing to prepare has far-reaching implications. The cost of not being insured can result in loss of business continuity, profitability, health and safety, and ongoing reputation within the community.
Some common reasons your claim could be denied include:
- An organization fails to maintain or follow an ongoing program or minimum standards.
- There are discrepancies, errors, omissions, or ambiguity in completing the initial risk questionnaire.
- In the event of an attack, the initial compromise occurred before the organization purchased the cyber policy.
- Ransomware perpetrated by organizations deemed nation-state actors may be considered acts of war.
- Conducting your own initial forensic discovery—many cyber insurance providers have their own incident response teams or preferred vendors for investigation. Discuss incident response requirements before you have an actual cyber event.
Plan, Prep, and Execute
Businesses with cybersecurity insurance need to ensure that their coverage is sufficient and addresses their most significant potential risks—specifically the clients they serve. Remember that there are two kinds of insurance: first-party coverage covers direct losses to the insured. In contrast, third-party coverage extends to losses suffered by others based on their relationship with the insured.
Coverage is never 100% complete, and it may not include these other costs:
- Downtime/business interruption that results in loss of sales and profitability or losses that occur if a cyberattack occurs during the “waiting period” for policy enforcement.
- Costs to improve technology systems, such as new hardware, software, upgrades, and security hardening for systems or applications.
- Third-party or misconfiguration mistakes—for example, a breach caused by a cloud misconfiguration or administrative error configuring cloud-hosted web services.
In this ever-evolving cybersecurity landscape, insurers are asking much more of their clients regarding staff training and technological safeguards. Some may avoid government and critical infrastructure markets altogether. In addition, there’s now a philosophical question to address: Do these targeted policies create incentives for attacks and ransoms because they know governments have insurance policies and can pay large payments? Yes, say some experts, but not having insurance is a risk government and other high-profile users simply cannot take.
Best Practices to Avoid a No-Go on Insurance
Cyber insurance is a critical risk mitigation measure—but it can’t stand alone. If you’re newly investigating cyber insurance, be prepared to provide lots of details about your business, who your customers are, and your established policies and procedures. Determine your risk with full transparency, set a baseline, and conduct thorough due diligence on the policies available and what they specifically cover.
Organizations without internal security teams may be more vulnerable to sophisticated cyber threats and need guidance and tools to build and manage a comprehensive cybersecurity program. Cybersecurity is a posture—an ongoing process that aligns throughout your organization and seeks regular improvement to address current threats and attack vectors. While we can’t guarantee that you won’t have challenges obtaining coverage along the way, Defendify’s platform provides continuous cybersecurity to align with an insurance provider’s expectations.
TL;DR
- Many overriding factors will affect your ability to obtain and retain the coverage you need at a reasonable rate.
- The cost of not being insured can result in loss of business continuity, profitability, health and safety, and ongoing reputation within the community.
- As threats like ransomware continue to increase, premiums are much higher, and cyberattack insurance coverage may be reduced or denied altogether.
- There are two kinds of insurance: first-party coverage and third-party coverage.
- There are steps to take so you’re less likely to be denied during the cyber insurance underwriting process.
Resources & insights
Cost of a Cyberattack vs. Cybersecurity Investment
Defendify Listed as a High Performer in Six G2 Grid Categories
Explaining the Risk of a Cyberattack in Their Language
Cost of a Cyberattack vs. Cybersecurity Investment
Defendify Listed as a High Performer in Six G2 Grid Categories
Explaining the Risk of a Cyberattack in Their Language
Protect and defend with multiple layers of cybersecurity
Defend your business with All-In-One Cybersecurity®.
Explore layered
security
Learn more about Defendify’s three key layers and All-In-One Cybersecurity®.
How can we help?
Schedule time to talk to a cybersecurity expert to discuss your needs.
See how it works
See how Defendify’s platform, modules, and expertise work to improve security posture.