Cyber risk is everywhere. From credential theft to misconfigurations to vulnerabilities and even phishing attempts, there are cybercriminals poking and prodding at organizations from every angle.
This means that organizations not only need to up their cybersecurity, but they also need to think about it in terms of risk and how to holistically mitigate that risk — from identifying threats to protecting against them and responding to them.
Reducing cyber risk isn’t easy, but in recent years a new tool in the cybersecurity toolbox has emerged for organizations to both reduce and transfer their risk: cyber insurance.
Cyber insurance, like other kinds of liability insurance, gives organizations coverage in case of a cyber incident, breach, or specific kind of attack. Cyber insurance enables companies to transfer a portion of the cost of recovering from cyber incidents onto their insurance provider. A policy can cover the costs of damage to others, profits lost, and the cost of negotiating ransomware.
But obtaining cyber insurance isn’t always simple — especially in the age of remote work, ransomware-as-a-service, and digitization — so there’s a few things organizations need to understand as they work to obtain and maintain their cyber insurance policy.
How to Obtain Cyber Insurance
The first task is to evaluate your current security architecture and understand what’s needed to qualify for a strong cyber insurance policy. While every policy is different, and every organization has different security controls in place based on security and business needs, there are a few basic security controls that are commonly required.
These security controls include:
1. Multi-factor Authentication (MFA)
This identity and access management tool helps prevent credential theft and adds a layer of protection for user logins.
2. Endpoint Detection and Response (EDR)
This monitoring tool needs to have human or automated responses to endpoint alerts.
3. System Backups
These backups need to happen frequently, need to be encrypted, need to be offline, and need to be regularly tested to ensure they work as intended.
4. Email filtering and Web Security
Business email compromise (BEC) attacks are on the rise and, considering that email is the main form of communication for many businesses and vendors, that element has to be protected from cyber criminals.
5. Patch Management
Many attacks begin with external exposure, and, unfortunately, over half of all breaches borne of vulnerabilities breaches could’ve been prevented with proper patching. Implementing a regular patch management strategy stops these threats in their tracks.
6. Incident Response Planning and Testing
Having a strong incident response plan, and testing that plan to make sure it works, is critical for saving time, costs, and data if the worst-case scenario occurs.
7. Employee Training
Users can be the first line of defense, and also a major target, when it comes to cybercrime. Building a strong culture of security awareness can prevent phishing attempts, protect credentials, and exponentially increase an organization’s overall security.
8. Limit Domain Privileges for Accounts
If a breach occurs, lateral movement can happen quickly. By limiting how users can move through the environment and what they can access, a business is also limiting how a hacker could move through the system if they were to gain access through credential theft or another method.
Different Kinds of Cyber Insurance
As it is still a new industry, not all cyber insurance is the same, and coverage can vary. According to a recent survey by Arctic Wolf, 33% of respondents said their policies covered everything, 31% said their policies covered everything except ransomware payments, and 30% of policies had additional exclusions beyond ransomware. In addition, carriers are currently trying to figure out how to reduce the cost of policies and the number of policies, as blanket coverage on every kind of cyber attack has proved costly.
Every cyber security policy is different, with a wide range spanning from bare-bones offerings to more “platinum” options. The lower-end, entry-level offerings are endorsements to standard corporate insurance policies, but often exclude, or severely limit, coverage for more costly cyber incident expenses.
A more full-fledged solution is a standalone cyber insurance policy with limits devoted exclusively to covering cyber losses, incident response and loss control services tailored for cyber risk.
Learn more about the different kinds of cyber insurance with “The Global State of Cyber Insurance.”
Incident Response Retainers vs. Cyber Insurance
While there are benefits to obtaining a retainer, especially if you work with a security platform that provides incident response in addition to other services, it is not the same as cyber insurance. IR retainers help with the cost of incident response, remediation, and restoration. It’s more of a cost reduction, while cyber insurance gives organizations assurance that some costs associated with the incident (like the cost of downtime or ransom) will be recovered.
However, both incident response and cyber insurance work together, and organizations should consider both for full protection.
Why Organizations Need Cyber Insurance
Implementing and managing all of the above is not a small task for any organization. It takes tools, people, and money to make it happen. And how those measures are implemented depends on budgets, business needs, and what risk an organization is willing to accept. So, why do all of that just to obtain insurance?
There are a few reasons all organization leaders should consider insurance:
- It helps transfer risk, so the business does not assume ALL cyber risk
- It helps the organization grow as they accept the challenge to make positive changes and further their security journey
- It enables secure value creation — a secure business is worth more to customers, partners, and the market
- It puts the organization in touch with risk mitigation resources and experts, unlocking an entire world of partners and assistance
- It helps deliver the framework an organization needs for proper incident response
All those aspects are beneficial to organizations from multiple perspectives. It’s important to note that cyber insurance alone can’t end cyber risk But in the same way a beach-front property needs flood insurance, cyber insurance helps a business stay standing if a cyber storm blows in.
How to Obtain Insurance
Now that the benefits and requirements are understood, the remaining piece of the puzzle is to actually purchase insurance. First, an organization needs to work with a broker. Every policy, every business, and every risk factor are different, so working with a broker is critical in choosing the right policy for achieving specific security and business goals.
The basic steps are:
- An organization meets with a broker to discuss risk, needs, and policies
- The organization completes a questionnaire highlighting their internal security controls
- The broker takes that application to carriers and negotiates a rate and plan
- The business is presented with options and chooses a policy that meets their current and future needs.
Of course, the process in real life is a little more complicated and nuanced, but that’s the outline of what an organization should expect.
Learn more about cyber insurance with the “Cyber Insurance Buyer’s Guide.”
Understand how Incident Response and cyber insurance work together with Arctic Wolf® Incident Response.
And learn how coverage is evolving in the current cyber threat landscape with The Cyber Insurance Outlook.
