As growing numbers of organizations digitize aspects of their operations or embrace digital business models, cyber risk is assuming life-or-death proportions for more and more companies. While business leaders have long been accustomed to managing risks amidst uncertain conditions, those posed by cybercrime have dramatically increased in severity over the past few years. Ransomware attack volumes alone surged 105% over the past year, while the average ransom payment grew by 71%, inching closer to the unprecedented $1 million mark.
Historically, business strategists have had four options to choose from when it comes to managing risk. They could:
Purchasing insurance to protect against cyber risk falls into the fourth and final category. It’s a means of transferring risk. In this day and age, when nearly every company in every industry faces some degree of cyber risk, this can be a sound strategy for hedging the risk of financial losses due to cybercriminal activity.
However, no policy will protect all insured parties against every variety of cyber risk that exists. Insurance companies are for-profit business entities: their goal is never to operate at a loss. Thus, the more you can do to strengthen your cybersecurity posture by implementing technologies, processes and procedures that mitigate risks, the more affordable a policy will be — and the more likely your real-world losses are to be covered in event of a damaging attack.
When insurance companies first began writing large numbers of cyber insurance policies, they often did so without taking precautions to protect their own financial interests. The resulting losses that they incurred led to across-the-board increases in premiums, and the increasing severity of the ransomware challenge has compounded the problem. By the end of 2021, cyber insurance policy prices had increased an average of 96% year-over-year, with many would-be buyers finding it difficult to obtain coverage at all.
In addition, insurers have become more careful about paying out on policies. In 2017, for instance, Zurich Insurance refused to pay food conglomerate Mondelez International’s $100 million claim for damages caused by the NotPetya attack, claiming that the global spread of NotPetya was an act of war, and therefore excluded from coverage in its policy agreements. While Modelez is reportedly suing Zurich Insurance in pursuit of the claim, the fact that the question is being left to the courts to decide raises concerns for policyholders about the true extent of their coverage.
With that said, one of the most important things you can do to ensure that your insurance policy will truly protect you is to make sure it’s worthwhile for your insurer to pay out in case an event disrupts your operations or otherwise harms your business.
According to the U.S. Federal Trade Commission, cyber insurance policies can include first-party coverage, third-party coverage or both. First-party coverage protects your data, including employee and customer information. This type of coverage may also include costs related to forensics and breach investigation, fines and fees related to the breach, legal, crisis management and public relations costs and income lost due to business interruption. Third-party coverage, by contrast, provides protection against liability if a third party brings claims against you due to a breach. This may include payments to consumers impacted by the breach, claims and settlements in legal disputes and other litigation expenses.
It’s important to read and evaluate your policy carefully to ensure that it includes coverage for the incidents that may impact your business, including breaches of data held by your vendors or other third parties or criminal acts perpetrated outside the United States.
Cyber Insurance underwriters have long required companies seeking insurance to fill out questionnaires about their technology environment and information security practices. Recently, however, those questionnaires have grown increasingly detailed and intrusive.
Insurers might, for example, ask about:
It’s essential to fill out these questionnaires will professional accuracy. Even if there was an innocent misunderstanding, your policy still might not pay out in case of a breach.
It’s also critical to have the right technologies, policies and processes in place. Just having plans and procedures isn’t enough. Your security team needs adequate tooling to give it visibility into what’s taking place on endpoint devices and within your network. No cyber insurance policy questionnaire will list everything you need to think about to improve your organization’s cybersecurity maturity, of course. But thinking comprehensively and holistically about your risks is a good start.
Organizations that don’t have an internal Chief Information Security Officer (CISO) may consider engaging with a managed service provider (MSP) that offers virtual CISO (vCISO) services. Not only can your vCISO help you understand and address your current risks, but they can help you increase your maturity for the future.
In addition, a vCISO can help you:
It can be tempting to go it alone, but when it comes to real-world risk reduction, the benefits of maturing your security posture extend far beyond lowering the cost of your cyber insurance premium.
To learn more about how Netrix’s expert team can help, visit us at www.netrixglobalcom.