Cyber ​​insurance is on the rise, and an organization’s security practices must follow suit

Join the elite from July 26-28 at Transform’s AI & Edge Week. Hear top leaders discuss AL/ML technology, AI discussion, IVA, NLP, Edge, and more. Reserve your free pass now!


Despite great efforts against this – ransomware, hacks and data breaches are more common than ever.

About 75% of global decision makers on cyber threats have reported their company’s experience at least one cyberattack in the past year – and only 3% of respondents rated their company’s internet hygiene as “excellent.” Also, recent research puts the median salary at $211,529.

Naturally, to protect themselves, many organizations are investing – often – in cyber insurance, especially if cybersecurity breaches, hacks and ransomware attacks are often not included in traditional policies.

Cyber ​​insurance companies, too, are increasing their premiums and becoming more selective about the companies they want to insure.

“The cyber insurance market is changing,” said Jon Siegler, founder and chief executive officer of the regulatory, risk and compliance industry. LogicGate. “Cyber ​​insurance companies are not making as much money as they used to because they are paying more because of the increase in cyberattacks.”

Even after providing coverage, insurers are drawing based on the company’s risk profile.

“Cyber ​​insurance​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​ gusheges them they themselves their €

Insurance at a great price

Cyber ​​insurance is like any other insurance. It’s a way to deal with risk and loss from other events – in this case, cyberthreats.

Although it varies by insurance and the amount of coverage they carry, policies can cover costs associated with business email compromises, ransomware attacks, phishing attacks and other attacks, explained Jennifer Mulvihill, head of the security firm’s cyber insurance and legal business. of cyber. BlueVoyant. Policies can also provide first- and third-party support, he said.

All told, the cyber insurance market is expected to reach $25 billion by 2026, according to the annual cyber insurance report. The Howden Group. Also the National Association of Insurance Commissioners reports that cyber insurance premiums collected by major US insurance carriers in 2021 increased 92% year after year.

This is only going to continue, predicted Norman Krumberg, chief executive officer of the cybersecurity firm NetSPI. Today’s threat market makes it difficult for insurers to accurately assess IT management and security control maturity. He expects that it will be more difficult to get compensation for complaints, especially if there is a breakdown in the regulations.

In addition, cyber insurance companies and companies have increased the complexity of writing and filling out questionnaires, he said. Insurers in the past relied on questionnaires and self-verification and lacked the internal intelligence to evaluate the value of opinions.

But insurers are hiring security experts to review solutions and analyze the attack environment and understand how to manage it, Krumberg said.

Siegler pointed to a study by S&P Global Market Intelligence revealing that approx cyber insurance coverage it was about 73% in 2021, showing an increase of 25% from 2019. Cyber ​​insurance companies only save 27 cents for every dollar that customers pay – compared to 2019 when they earned 52 cents on the dollar.

Modern industry: Tech industry

So, why is cyber insurance so important?

“To some extent, every modern company is now a technology company,” Siegler said. Even if you don’t consider yourself a technology company, you do store customer information, sometimes even personally identifiable information (PII).”

It could be as simple as storing such information in an email, he said. Sending an email to the wrong recipient can be a data breach. Your organization can easily go to court. Similarly, storing PII requires compliance with numerous federal and state laws.

“Based on this, almost every modern organization can use cyber insurance,” Siegler said.

However, Mulvihill stressed that cyber insurance is more than just a standard policy that provides coverage for claims.

“Cyber ​​insurance offers coverage even before it happens,” he said, explaining that this could include offering cyber assessments and limiting access to experts.

Cyber ​​insurance savvy

Like all other types of insurance, organizations need to know what to look for – and what is expected of them.

Until now, organizations have had to consult with vendors to find out what fits their risks, Mulvihill said. This may depend on the sector and/or business activities or products. They also need to understand the carriers’ risk appetite, what insurance benefits (such as training) they can offer, and response times, and whether there are any insurance requirements or limits.

Similarly, understanding the writing requirements, Krumberg advised, and how this can affect publication during the process. Also very important: How insurers define cyber events or incidents, because there may be exchanges with other policies.

Siegler agreed, pointing to the remaining aspects of cyber insurance: Incidents due to third-party vendors; lost or stolen equipment; the effects of war, terrorism or invasion; and the insurer’s failure to maintain agreed security policies. He said he is also seeing more insurers requiring organizations to carry less cyber insurance to make it better for other types of coverage.

Business leaders are also trying to determine how much their company needs and whether a single policy or a combination of secondary policies is sufficient, Siegler said. Risk diversification can help this process, because it communicates risk through the shared language of finance. This would provide a basis, along with an existing financial model, to set limits.

Risk assessment can also help organizations assess and calculate the cost of a data breach to determine whether existing coverage can absorb the cost of the potential risk, Siegler said. And when additional support is needed, this approach enables CIOs and other technology leaders to use financial — rather than technical — jargon to help the C-suite better understand risks.

“When talking about risk in businesses, IT leaders can demonstrate cost savings in managing issues and improving security at the cost of insurance or taking risks directly,” said Siegler.

Improving security

There are many steps an organization can take to make itself attractive to insurers. More interestingly, says Siegler: “The better your security, the better your trees grow.”

A consistent, rigorous security program helps organizations protect security, and can reduce overall costs and increases in costs.

“In this new era, organizations need to be prepared with a written security program,” said Krumberg, who added that organizations also need to ensure that their responses to written requirements are in place and working.

To reduce their chances of being seen as inappropriate, organizations may consider contacting a cyber insurance broker to improve their cyber security program, Siegler said. These experts will have special knowledge on how to change the benefits that can be made according to the risk profile, the industry and the size of the company.

Planning is an organization’s best chance to get insured quickly, Siegler said, especially since the insurance process can take up to six months — even when it comes to renewals. As the demand for cyber insurance continues to increase, the survey has grown from 20 to 30 questions to 200 questions, and insurers are also required to interview.

But, Siegler warned, “remember that cyber insurance is not a substitute for good security measures. Cyber ​​insurance can make companies safer.”

The truth is that a cyber insurance provider cannot cover an incident if the company acts negligently, he said.

“A good mirror for any organization is to ask: ‘Are we doing the right things to protect our customers and ourselves?’ If you’re not, change your data systems,” Siegler said.

Strong control, control

Organizations would do well — whether they’re seeking insurance or not — to strengthen identity and access management (IAM), Siegler advised. While this is not a new approach, he said, next-generation security systems have raised expectations.

Instead of relying on usernames and passwords, robust IAM uses multifactor authentication (MFA), device history, geolocation and user behavior to ensure that only authorized users have access to resources. Most insurers will require MFA and the use of VPNs, Siegler said.

Zero-trust architecture goes beyond these controls, requiring users to authenticate each time they access a device or device. Although not essential, zero-trust can also replace IAM.

Siegler encouraged organizations to demonstrate good financial management. Service providers want to see faster detection of new assets and threats through device detection, continuous policy compliance and risk management.

“Insurers want to know that if a cyberattack is successful, your company can quickly determine the extent of the impact and begin incident management,” Siegler said.

In addition, organizations need to improve their data storage and networks, as insurers want to see how data stays safe as it moves slowly within the infrastructure – which is moving; data at rest and stored internally or externally; and the data being used.

Another important defense is developing incident response systems, Siegler said, since cyber insurance providers will look for problems there. A good plan ensures a consistent process from initial response to recovery, and includes several steps, including:

  • Identification: Security personnel are reviewing policies, identifying affected assets and prioritizing the most affected items before taking action.
  • To save (both short and long): Identifying deviations from normal operations and determining whether the deviations are from breaking.
  • To resolve: Identifying and correcting the cause of the breach.
  • Recovery: Bringing affected systems back online through detailed testing of affected products.
  • Change: Following the violation (Siegler suggests within two weeks), and choosing security cleaning methods to avoid similar situations in the future.

In short, “providers don’t want to insure an organization that will incur a loss,” Siegler said. Therefore, “expect potential insurers to review and assess your risk profile.”

A VentureBeat project It is supposed to be a digital city for decision makers to learn about the latest business technology and innovation. Learn more about membership.