There must be a consideration of the ethical question of contributing to the payment of extortion demands of cybercriminals. Any company that is paying a cyber insurance premium, regardless of whether they suffer an incident or would not pay an extortion demand, is potentially filling the pot that will be used to pay extortion demands made on others. Insurance is like crowdfunding; the policyholders all contribute to the payment of a claim.
At the same time, the process of preparing to be eligible for cyber insurance is beneficial to all businesses regardless of whether they end up being insured. It forces companies to take an audit of their cyber environment, understand the potential risks, and enhance cybersecurity posture where needed.
Cyber risks in the business world
There are many cyber risks that a business can face. The most common lands in our inboxes every day in the form of phishing scams, and the threat extends through to ransomware and more socially engineered attacks such as business email compromise.
Thus, when a business decides that cyber insurance should be part of its resilience plan, the first step needs to be understanding the current environment in which it operates, where and what type of data it processes and stores, what the business disruption would be if they lost access to systems and data, and its current cybersecurity posture. This should enable it to identify any immediate enhancements or changes that can be adopted to improve its overall cyber security posture, for example implementing multi-factor authentication to add another layer of security for business accounts.
Selecting an insurance broker that understands your business and has expertise in cyber-related risk and insurance will likely reduce the resources required to complete pre-insurance questionnaires and ensure that your requirements are matched with the best possible insurance carrier.
Typically, an insurer will ask for extensive information about the digital operations of the business, which may include a scan of external facing network assets to evaluate risk, with unpatched external servers indicating the company’s overall patching policy. This information allows the insurer to assess how seriously the company views cybersecurity so they can make an informed estimate of the potential risk, thus calculating an appropriate premium.
This blog is the fifth of a series looking into cyber insurance and its relevance in this increasingly digital era – see also parts 1, 2, 3, and 4. Learn more about how organizations can improve their insurability in our latest whitepaper, Prevent, Protect. Insure.
However, an offer of insurance may be conditional on additional cybersecurity requirements. For example, it’s extremely common for an insurer to require a company to have advanced cybersecurity technology such as Endpoint Detection and Response (EDR). The requirement may stretch to the need for this to be a managed service by a third party if they believe the company does not have the resources in place to deal with the alerts and output such a system generates.
In some instances, the insurer may ask to see reports generated from cybersecurity management systems to demonstrate that they are not only in place but are also being managed and operated effectively. Remember, insurers also want to protect their bottom line – it’s not strictly about the security of your business, but about mutual benefits.
Insurance is about trust
In all likelihood, cybersecurity requirements demanded by insurers will continue to increase as the threat landscape becomes more complex and insurers gather more data risks presented in certain scenarios and business segments.
Therefore, the selection of a trusted broker and insurer is incredibly important. In the unfortunate event that your business falls victim to the cyberattack, you need to know that the insurer has your back and will provide the services and assistance detailed in the policy. Thankfully, most policies provide companies with the external expertise and services required to respond effectively to a cyber-incident in the moment of need, covering all the required bases.
To discover more about cyber insurance, listen to journalist Peter Warren’s conversations with Lorenzo Callerio, Senior Director of Alvarez and Marsal; Paul Cragg, CTO of Norm Managed Security Service Provider; David Chavez, Cyber Insurance Product Manager; and Tushar Nandwana, Risk Control Technology Segment Manager at Intact Insurance Specialty Solutions.
Learn more about how cyber risk insurance, combined with advanced cybersecurity solutions, can improve your chance of survival if, or when, a cyberattack occurs. Download our free whitepaper: Prevent. Protect Insure, here.