Cyber attacks are increasing in frequency and severity, with the trend ticking upward year after year. As the volume of attacks continues to rise and threat actors work to evade cybersecurity measures, organizations are increasingly adopting a strategy that helps minimize the effects of a potential breach – risk transfer.
Risk transfer, meaning the placement of financial, operational, or security risk onto a third-party, allows organizations to both focus on proactive cybersecurity measures while ensuring that, if an incident occurs, they may have financial and personnel support to assist with the aftermath.
A growing part of this risk transfer strategy for organizations in recent years is cyber insurance.
What Is Cyber Insurance?
Cyber insurance is a product sold by a third-party insurer that provides financial assistance and coverage in case of a cyber incident.
Broadly, cyber insurance operates similar to other kinds of insurance. If you have car insurance and you get into an auto accident, the insurance, depending on the policy, is intended to offset the cost of your vehicle repairs. With cyber insurance, if an organization is breached, the organization’s policy may provide financial assistance for direct and indirect costs related to a breach.
Cyber insurance policies generally fall under one of two types: first-party cyber insurance, which focuses on financial compensation to an organization during and after a cyber incident. Organizations can also obtain third-party cyber insurance, sometimes within the same policy, which covers liability and financial losses if the cyber incident affects a third-party connected to the primary organization – such as a customer filing for damages because of the cyber incident.
Cyber insurance can cover:
- Incident response (IR) and remediation costs
- PR communications post-incident
- Legal needs post-incident
- Compliance needs post-incident
- Operational or downtime losses
- Data recovery if data is compromised during an incident
- Cost of a ransom demands during a ransomware attack
- System damage repair costs
- Liability to business partners
- Identity monitoring and restoration if client and customer information is taken during the incident
As cyber insurance evolves, new or expanded coverage options are being added by insurers. Three new common additions to cyber policies that organizations may be able to obtain are coverage from social engineering attacks, bricking coverage (the replacement cost for physical equipment damaged during the attack), and reputation harm coverage.
When organizations are considering cyber insurance, they should evaluate their own needs thoroughly and consider their organization’s size, risk exposure and risk profile, and potential impact to business operations in the event of a serious cyber incident.
As we’ll discuss in more detail below, the specifics of a cyber insurance policy will differ depending on a number of factors, and it’s vital for organizations that are seeking cyber insurance to seek out a policy that provides the right amount of risk coverage and financial support for their organization’s business and security needs.
What Types of Cyber Insurance Are Available to Organizations?
In addition to the differences between first-party and third-party insurance, the specifics of policies, as well as the amount of coverage, can vary widely.
According to the Arctic Wolf report, The Cyber Insurance Outlook 2024: North America, surveyed organizations with cyber insurance have a “moderately high level of confidence” in their policies and their coverage, with “with an average confidence score of 7.1 out of 10 in terms of fully covering the cost associated with an attack.” Additionally, organizations are being offered, and opting for, more comprehensive policies – 57% report their plans have become more comprehensive compared to prior years.
These stats show broadly the level of coverage organizations are obtaining, how much risk they hope to transfer with their coverage, and in turn, what policy holders report that their insurance policies offer and exclude. In fact, exclusions are a critical component of the cyber insurance landscape.
While exclusions can and will vary by policy, there are some commonly known ones, often tied directly to an organization’s cyber risk or to the kind of policy it acquires.
Common items and instances cyber insurance does not cover include:
- Costs tied to an incident that occurred due to poor security processes or having ineffective cybersecurity architecture in place
- Costs related to incidents and breaches that occurred before the policy was purchased
- An incident that originated with human error (unless a social engineering add-on is in place)
- An insider attack
- Preexisting and known vulnerabilities
- Financial support to improve your organization’s IT systems
- Loss of future revenue (loss of revenue or income that extends beyond a policy’s indemnity period)
It should be noted that cyber insurance is not the same as a cyber warranty, which is commonly more limited in scope and originates with a specific cybersecurity product or vendor.
With the steady increase in cyber incidents and corresponding increase in payouts made by insurers, an organization’s overall cyber risk and related mitigation measures have become deciding factors in an organization’s ability to secure or renew a policy as well as insurance premiums and coverage limits.
Benefits of Cyber Insurance
Cyber insurance is becoming much more than a “nice to have” for organizations, and while obtaining cyber insurance may be relatively new, it is a growing part of organizations’ cybersecurity and business strategies.
Benefits of obtaining a cyber insurance policy can include:
1. Possible reduction of immediate costs for remediating and restoring operations during and after a cyber incident, including legal fees, forensics investigations, PR costs, and more
2. Partial cost coverage for equipment damaged or degraded during a cyber incident
3. Potential cost coverage for regulatory fines that may result from a cyber incident
4. Partial ransom payment compensation after a ransomware attack
5. Potential coverage for recovering data lost during a cyber incident
6. Likely strengthening of security posture due to cyber insurance security control requirements
Cyber Risk and Insurance Polices
If your organization’s cyber risk profile is deemed high by insurers, then the coverage, and the cost of that coverage, can be relatively higher. It’s similar to how teenage drivers have higher auto insurance rates, including premiums and deductibles, due to their higher risk factor as new drivers.
According to insurance providers polled in The Cyber Insurance Outlook, 48% of insurers added new requirements for customers in 2023, including security controls. The most common security control requirements to obtain or maintain coverage according to the survey are cloud security monitoring, logging and network monitoring, and privileged access management (PAM).
Customers surveyed also listed the three most-common security controls they implemented to lower their own premiums, which were PAM, patch management and vulnerability management, and obtaining an incident response retainer.
The controls listed span the cybersecurity spectrum, from monitoring to risk management to incident response, showing how valuable comprehensive, end-to-end cybersecurity is in not only in reducing your organization’s risk but also in increasing insurability.
Arctic Wolf, through our own work in incident response and alongside cyber insurance brokers and carriers, have identified three types of risk profiles that insurance providers group organizations into – basic, premium, and elite — with each bucket having varying levels of insurability in terms of both coverage and cost.
A basic risk profile has the following security controls in place:
- Multi-factor authentication (MFA)
- Remote desktop protocol (RDP)
- Virtual private network (VPN)
- Patch management program
- Incident response plan
- System and database backups
A premium risk profile has:
- Endpoint detection and response (EDR)
- Vulnerability / risk management
- Employee security training programs
- Privileged account management
- Remote access controls
An elite risk profile has:
- Managed detection and response (MDR)
- Centralized log monitoring
- Email and web filtering
- Asset inventory
- Email and network security
- 1-hour incident response time
- Threat intelligence services
Learn more about how insurers evaluate cyber risk and understand how your organization can evaluate and elevate your risk profile.
Best Practices for Obtaining Cyber Insurance
Obtaining a cyber insurance policy is not a simple task, especially if an organization is opting for stand-alone cyber insurance. There is a significant amount of paperwork, investment, and qualifications that need to be ac hieved. While the process may differ slightly across organizations, there are best practices one can follow to help keep the process smooth.
1. Work with an experienced cyber insurance broker. A trusted broker will guide your organization through underwriting, policy comparison, and help explain the technical controls needed to stay insured, as well as relay your current controls and security posture to the insurance provider. Ensuring your broker has experience and expertise in the cyber insurance space means you’ll have a strong advocate in your corner.
2. Demonstrate your security posture. Because risk is such a critical factor when it comes to your insurability, being able to clearly show the steps your organization has taken to mitigate risk can make a major difference. This means showing the products and controls you have in place, what vulnerabilities exist in your environment (and preparing for an external vulnerability scan as part of the application process), whether you have an IR retainer, and more.
Learn how the Arctic Wolf Cyber Risk Assessment can help your organization improve and demonstrate your insurability to both brokers and carriers.
3. Reduce your human risk with security awareness training. Users are becoming a more prominent part of the attack surface, with insurance policies now offering social engineering add-ons in policies. Investing in a security awareness training solution will show your underwriter and carrier that you’re actively reducing human risk while enhancing your security culture.
4. Maintain a clean claims history. Like with other kinds of insurance, having a history of claims has the potential to hurt your organization as you apply for new insurance. Implementing a security operations solution or working with a third-party cybersecurity provider can help your organization proactively stop threats before they turn into incidents, potentially limiting your need to file claims before and after you obtain insurance.
How Arctic Wolf May Improve Your Insurability
As a security operations provider, Arctic Wolf can help your organization reduce cyber risk and detect and respond to immediate threats. Our combination of expertise and offerings, delivered through our Concierge Delivery model, helps your organization identify key security controls, remediate security gaps, reduce your risk profile, and enhance your overall security posture.
Arctic Wolf offers:
- End-to-end risk reduction through our world-class solutions
- An integrated cyber insurance assessment rating that can be shared with your broker and other third parties through our Cyber Resilience Assessment
- A security operations warranty on certain products and services that may help offset the financial burden of a deductible
- An experienced IR team in case of an incident
Learn more about how Arctic Wolf simplifies and enhances your process to obtain cyber insurance.
Explore cyber insurance in-depth with our Cyber Insurance Buyer’s Guide.
DISCLAIMER: The contents of this blog post are for educational purposes only and Arctic Wolf is not endorsing any insurance provider, product or service. Arctic Wolf and its employees are not licensed producers and therefore are not engaging in the sale, solicitation or negotiation of insurance and are NOT offering advice regarding insurance terms, conditions, premium rates or claims. Customers interested in purchasing cyber insurance coverage should consult with an appropriately licensed insurance broker.
