Cybersecurity threats targeting organizations of all types and sizes in the public and private sectors are continuous, severe, and likely to increase for the foreseeable future. Protections against cyber threats and the consequences flowing from an attack come from cybersecurity and cyber insurance. In most cases, an organization will need both for complete protection.
Cybersecurity vs. Cyber Insurance
The threats from cyberattacks and the costs of implementing the robust 24x7 protections needed to thwart cybercriminals have mounted. Many executive leaders look for ways to deliver protections without the costs. Partnering with a skilled and experienced external security provider is an excellent way to get the protections needed without having to build the 24x7 infrastructure and teams required.
Another route that some think is a viable alternative is to rely on cyber insurance to cover the costs of recovering from a successful cyberattack. This is a mistaken belief. While it is true that good cyber insurance can provide financial relief after a cyberattack, it is not a substitute for robust cybersecurity protection solutions and staff training. Prevention is better than cure in many things - including cybersecurity.
What is cyber insurance?
Cyber insurance policies are structured to help organizations mitigate the costs that follow cyber incidents like ransomware attacks, sensitive data breaches, and operational disruption. While having cyber insurance to offset costs is desirable, organizations can't use it to avoid implementing good cybersecurity hygiene, defenses, and best practices.
What is cybersecurity protection?
Cybersecurity protection solutions and practices use a range of technologies and measures that aim to prevent cyber attackers from gaining access and to quickly detect attacks when they do. Then promptly respond to avoid widespread damage and remove any malicious software. Post-incident analysis is vital to any cyberattack to review how attackers gained access to prevent future incidents via the same method.
Getting Insurance at a Reasonable Rate
Even if you wanted to use cyber insurance as a safety net rather than implement robust cybersecurity protections, the chances of your organization getting covered are minuscule. The days of underwriters indemnifying any organization against cyberattacks are over. To get insurance in 2023 at a reasonable premium requires good cybersecurity protections and practices to be in place.
We recently wrote about what cyber insurance providers now require before providing coverage. See the article titled Where Are You at With Your Cyber Insurance Journey? linked at reference 1 below. Quoting from this article:
To get insurance, organizations will need adequate safeguards, protocols, and strategies in place as a prerequisite. Insurance providers will typically send out comprehensive questionnaires to organizations and conduct interviews with their designated security professionals. The objective of this data gathering is to obtain a picture of the organization’s cybersecurity readiness, so the insurer can determine whether to provide coverage at all. And if they do, set the coverage premium at a level commensurate with the risk level involved.
We then list four high-level areas where cyber insurers will want to see strong cyber solutions. The four are:
- 24x7 Monitoring, Detection and Response
- Multi-Factor Authentication
- Incident Planning & Incident Response Practice Simulations
- Data Recovery Processes
See the article at ref 1 for more details. Insurers will also be looking for a high level of general cybersecurity awareness and best practice use within any organization seeking cyber insurance. Typically they will be looking for the use of a well-defined framework such as the NIST Cybersecurity Framework (ref 2).
Insurance companies are much more stringent in 2023 because of the costs associated with many cyberattacks, especially ransomware. The State of Ransomware 2023 report from Sophos (ref 3) shows that the average cost to organizations hit by ransomware (and who paid the ransom) was $750,000 in recovery costs per incident. The mean recovery cost in 2023 was $1.82 million (up from $1.4 million in 2022). These latter costs include all the activities required to clean up after an attack, including disruption to operations, staff costs (overtime, etc.) during recovery work, and lost revenue due to the disruption. Often paying a ransom is not the most significant cost.
Given the volume of ransomware attacks, cyber insurance providers are unlikely to cover any organization that can’t demonstrate robust cybersecurity.
Implementing Robust Cybersecurity Protections
The good news is that cyber insurers want to see you implement standard cyber security protections. Ones that most organizations will have thought about and implemented to some degree already. The four items mentioned in the previous section are a good start. Nevertheless, other measures are required to design and implement an ongoing cybersecurity protection plan. We’ve written on this topic several times recently:
The Top 10 Things to Do to Lower Your Cyber Insurance Premiums
Critical Insight CISO Mike Hamilton outlines 10 steps to demonstrate to cyber insurance providers that your organization is an acceptable risk (ref 4).
What is Ransomware, and How Do I Prevent It?
Ransomware is the most significant threat organizations face. SonicWall reported that they saw 494 million ransomware attack attempts on the infrastructure they monitor (ref 5). In a deep dive article, Mike Hamilton covers cybersecurity preventions and measures to defend against and mitigate the risk from ransomware (ref 6).
Frequent Webinars - We also run regular webinars on multiple topics, including all aspects of cybersecurity and cyber insurance. You can watch recordings of these free events on our YouTube channel and signup for future webinars at https://www.criticalinsight.com/resources/events.
Is Self-Insurance Ever a Viable Option?
Given what cyber insurers are looking for to decide whether to provide cover and at what premium, it may be the case that what you need to pay will be significant. In some cases, it may make sense to take the money your organization would have spent on insurance and use it to bolster cybersecurity for one or more years. For some organizations, doing this to get to a time when they can demonstrate better cyber defenses to cyber insurers can result in lower premiums in future years.
Many people refer to this as “self-insuring.” Following this route will require a comprehensive cost/benefit analysis that includes the risks of not paying an inflated premium due to weak cybersecurity. This is an important decision given the current threats, and you should chat with your current cybersecurity provider before going down this path.
Critical Insight Can Help Your Organization
Critical Insight’s expert team is here to help your organization make decisions like the “self-insuring” one.
In today’s threat landscape, robust cybersecurity is crucial for any organization. Moreover, showcasing an effective cybersecurity planning and protection strategy is becoming essential for auditors and insurers. Obtaining cybersecurity insurance at an affordable price, with adequate coverage and deductibles, requires working within an insurer’s evaluation process and demonstrating to them that you are an acceptable risk.
Critical Insight’s cybersecurity professionals focus on the threat landscape. These professionals, plus our 24x7 monitoring teams, can deliver the cybersecurity expertise needed to protect your systems and data, plus deal with your cyber insurance provider. And Critical Insight can work with you and them to ensure you get the coverage you need at the lowest cost.
References
Critical Insight: Where Are You at With Your Cyber Insurance Journey? - https://www.criticalinsight.com/blog/where-are-you-at-with-your-cyber-insurance-journey
NIST: Cybersecurity Framework - https://www.nist.gov/cyberframework/getting-started
Sophos: The State of Ransomware 2023 - https://news.sophos.com/en-us/2023/05/10/the-state-of-ransomware-2023/