Uninsured organizations thinking of either alternatives may be missing the bigger picture here. Find out why.
In the past, organizations were asking “should we or should we not purchase” cyber risk insurance.
Many management boards and risk managers were not entirely sure of the value of insuring against such risks as “we have never needed it before”, and they viewed such insurance policies with a cautious and cynical eye.
Another argument was “Our IT teams have our cyber risk under control. There is no way we could get hacked. We are completely secure.” Now, with years of continual surges in cyber threats, organizations know that the total tangible and intangible costs a cyber incident—including digital forensics, public relations, legal, and business interruption—can add up to several million dollars: for a single event, with many claims exceeding US$1m.
The opportunity cost of not carrying cyber insurance, is now far costlier in the long run, despite rising premiums in this space. Cyber risk insurance demand has therefore increased from 50% to 200%, depending on industry sector.
The question being asked is “do we qualify for this insurance?”
Due diligence before insurance
Before insurers will even offer a quotation, organizations must be able to demonstrate adequate baseline cybersecurity controls.
In the current market, many insurers will simply decline to provide a quotation when baseline requirements are not met.
Since no two organizations are identical in terms of their network setup and IT environment, insurers have adopted broad baseline security measures to look for in a prospect before they deem the organization ‘insurable’.
Just like how a property insurer would not insure a building devoid of locks and sprinklers, cyber insurers will not insure companies that do not meet certain baseline IT security controls. These include:
- Implementation of multi-factor authentication across the IT estate / environment
- Deployment of endpoint detection and response solution for all endpoints
- Quality of backup management for effective data security and restoration
- Presence of encryption of data-at-rest and data-in-transit, supported by a data classification strategy
- Quality of approach to network defense that includes use of firewalls, web traffic monitoring and email filtering
- Effective and repeatable patch, change management processes or policies in place
- Strong approach to workforce cyber awareness and training, including phishing simulation
- Implementation of incident response, business continuity and disaster recovery plans—tested in the last 12 months
- Network segmentation (including data, IT and OT environments, etc.) by business and geography
- Implementation of a formal privileged access management solution
- Confirmation that all local admin privileges are disabled for standard IT users
One may have thought these mounting hurdles in procuring cyber risk insurance, combined with increasing premium levels would serve to dampen demand for cyber risk insurance. However, the opposite is the case.
Furthermore, organizations thinking of securing a better package will find that the various insurers subject all applicants to fresh rounds of scrutiny and audits, cyber risk evaluation diligence and often, little room for deviation in pricing.
Invest in IT security or cyber insurance?
Organizations may be contemplating whether to divert investments in cyber insurance toward boosting IT security instead.
However, this should not be an either/or matter. According to CrowdStrike, cyber insurance is not a substitute for cybersecurity. A well thought-out cyber risk strategy involves the right balance between organizational investment in its people, discipline in its processes, and investment and deployment in the right technologies to monitor threats and mitigate cyber-attacks from manifesting.
Once these lines of defense are in place, insurance rounds out the picture as the final layer of defense. Overall, cyber risk insurance is the financial backstop after reasonable investments have been implemented and best efforts deployed to mitigate against attack.
