By its very nature, cybersecurity is a risk mitigation exercise; the risk never goes away and cannot be eliminated unless you lock everything in a box and throw the key away. That’s why a completely non-technical further line of defence is such a good idea: cyber insurance cover. These days, it should be as much a part of your insurance portfolio as General Liability, Property and Vehicle is. And when people ask me ‘which organisations should look into cyber insurance’, the answer is easy: every organisation should. Even if you don’t take the policy, the exercise of testing the market for cyber insurance will prove invaluable, because good insurers won’t even provide a quote until they’ve assessed your security posture. If it comes up short, there’s a lesson for your organisation: if things aren’t sufficiently secure for an insurer’s liking, you’re a target and should take additional precautions.
What is cyber insurance?
We’ll start with the basics because cyber is a relative newcomer to the insurance field. This means providing cyber insurance is itself risky and therefore a specialist product offered by a limited number of brokers and underwriters. Like every other insurance product, cyber insurance transfers some of the risk of a cyberattack to an insurer, in exchange for a premium. Most policies address the multiple facets of the fallout from an attack, and offer benefits including compensation for financial loss, as well as contributions towards legal assistance, reputation management, and investigation and remediation.
Given that just about every organisation today – from the local town council to the neighbourhood fast food joint, and on to the retailers, law offices and everyone else – depends on IT services, the potential market for cyber insurers is big. With this large addressable market, plenty of insurers stepped up looking for the premium income. However, the risks are not only very real, but when attacks occur, the losses are also very substantial (back in 2021, Newshub reported that the average cost of an attack was $159,000). Big attacks, like the one being experienced by Latitude Financial Services, can result in losses running into the millions.
This has meant capacity has reduced in recent times, as some insurers have done the sums and realised that the sustainable provision of cyber insurance is more difficult than most ‘volume’ products. Providing insurance in this space, in other words, requires diligence coupled with detailed knowledge of information security and the measures potential customers have in place.
How to get cyber insurance
I’ve already said every director should consider cyber insurance for their organisation, so the next most obvious question is ‘how’. There are two answers to this one. The first is to speak to your managed services provider; we know what insurers are looking for, and we know how to get your organisation sorted so the broker (and the underwriter) will be happy to insure you. The second answer is to go to a specialist broker offering cyber insurance and have a chat.
Typically, your broker will look for appropriate cybersecurity controls before pricing up and offering cover. These controls include:
- Multifactor authentication for remote access and admin/privileged access
- Endpoint Detection and Response (EDR).
- Secured, encrypted, and tested backups.
- Privileged Access Management (PAM).
- Email filtering and web security.
- Patch and vulnerability management.
- Cyber incident response planning and testing.
- Cybersecurity awareness training and phishing testing.
- Hardening techniques including Remote Desktop Protocol (RDP) mitigation.
- Logging and monitoring/network protections.
- End-of-life systems replaced or protected.
- Vendor/digital supply chain risk management.
Either way, opening the door to cyber insurance is a sound idea. Your MSP has probably had the security chat already, and in all likelihood has your data estate appropriately protected (note I say ‘appropriately’: cybersecurity measures should be tailored to your risk profile; while both deal with customer information and records, the lawnmower shop’s cyber protection while every bit as necessary, will differ somewhat from that of the law firm).
The brokers we work with tend to stress that getting your cyber insurance sooner is better than addressing it later. This is in part to the escalating threat environment, where ransomware and other moneymaking schemes are always on the rise, and in part to the reality of reducing insurer appetite. In simple terms, ‘you might not be able to get coverage’ if you leave it too long.
Finally, and I’ve mentioned this previously, even if you don’t get cyber insurance, it’s worth talking about it with your broker or MSP. At the very least, it will help quantify your cybersecurity posture – and, potentially, contribute to reducing the risks you face.