How to assess your cyber insurance needs
Once a company has understood the state of the current cyber insurance market and the scope of coverage, it can then explore whether a policy will be of benefit.
Assured’s Ventham offered a checklist for how organizations should go about assessing their cyber insurance needs:
- What would be the impact if you had a cyberattack that took your business offline for a day, a week, or a month, etc.?
- How quickly would you prevent that attack from spreading?
- What risk can you afford to take on yourselves?
- How prepared are you to respond to an incident?
- What are you looking for in a cyber insurance partner? Is your insurer addressing your risk and concerns? Are you confident they will pay out?
Richard Seiersen, chief risk technology officer at Qualys, who previously worked in the same role for cyber insurance provider Resilience, says organizations need to quantify what they stand to lose from potential attacks, ransomware in particular.
Losses fall into three categories: extortion, business disruption and potential data breach.
“As a defender you are exposed to all three of these loss classes,” according to Seiersen. “Keep in mind that around 70% of ransomware attacks include data breach, but that more modern attacks may be data breach-only to motivate extortion.”
You will also have to assess the current state of your security operations and be prepared to make investments to improve those operations should an insurer require you to do so after performing a pre-insurance audit.
“Many insurers will now conduct a pre-insurance scan of public-facing infrastructure and assets,” ESET’s Anscombe says. “The scan will highlight any existing weaknesses, such as unpatched servers, public facing RDP [Remote Desktop Protocol] servers, expired certificates, and the like.”
While inspections of internal systems is typically excluded from these audits they nonetheless offer insurers insights into a potential client’s security maturity, allowing them to assess their risk profile.
The process of meeting the insurers requirements should, at least in theory, reduce the risk for a company whether they opt to adopt insurance or not.
“Insurance firms could be at the forefront of a new wave of ‘baseline standards’ which could be much more dynamic and responsive to the threat landscape than any international standard or industry regulator,” Proofpoint’s resident CISO Andrew Rose adds.
Is cyber insurance worth it for your business?
Insurance policies can help organizations recover following a successful attack and can help reduce risk. They can also enable organizations to earn business, as many organizations require it from their vendors and partners.
Even so, some organizations find they can’t justify paying the premiums; some — particularly small and midsize enterprises — find they can’t meet the controls insurers now require. Still others decide they’re better off investing in their security programs rather than in insurance.
“You have a decision to make as a business what you can afford. It’s a cost-benefit analysis,” says Protiviti’s Pisano.
To make this decision, CISOs are being called to work with risk, legal, and other executives to evaluate their organization’s cybersecurity postures, articulate the threat landscape, quantify risks, and make recommendations on the best path forward, he says.
For some, the decision ends up being to avoid making the cyber insurance investment.
More on cyber insurance:
This article was originally published on Oct. 5, 2022, and has been updated since.