Scott Goodwin, COO and Co-Founder, DigitalXRAID
Cyber insurance has become a huge issue for businesses. Cyberattacks continue to increase year-on-year, with criminals identifying new ways of exploiting an organisation and breaching its most sensitive data. In fact, in 2022, £4bn was stolen by cybercriminals and fraudsters in the UK – a 63% increase over 2021. It is therefore more important than ever for organisations to obtain insurance to protect against financial ruin in case the worst happens. We’re also seeing cyber insurance becoming a more common requirement as part of the tendering process for new business, as an essential pre-requisite for mergers and acquisitions, and a crucial expectation across the supply chain. In essence, it’s now harder to operate as a business without it.
Yet the precarity of risk transference from organisations to insurance companies in the current cyber and political climate is driving an astronomical rise in insurance premiums. Recent studies found that the average year-on-year cyber cover renewal rates jumped by 70% in March 2022, and the vast majority of organisations face a premium increase of over 20%. In some ways, this dramatic increase in cyber insurance premiums could be argued to be driving better security practices to reduce insurance costs. But it’s crucial businesses understand exactly what they need to do to comply with insurer expectations and defend against criminals.
An evolving market
The cyber insurance market has evolved dramatically in the last few years. As a result of rising premiums, many insurers are seeking to stabilise the market. Cyber insurers have now started to reduce what they cover; Lloyds of London made an announcement that its policies would no longer cover losses resulting from certain nation-state attacks. More recently, multiple firms have announced catastrophe bonds which essentially allow greater coverage for their customers because it transfers risk onto investors and ILS (insurance-linked securities) markets.
Insurers now also recognise that they need to get a clear and reliable understanding of their customer’s risk appetite, which is why many turn to external security consultants. These professionals are supporting insurers with questionnaire modifications in order to gather the most relevant risk data on all their customers, and in turn protect their own business. And the same goes for companies that are insured. It can be a huge challenge for enterprises that don’t necessarily have the technical knowledge in house to understand their risk posture and communicate this with their insurers. Many Managed Security Service Providers (MSSPs) and external security partners will now regularly support their customers with not only achieving a solid foundational cybersecurity, but also working to lower their insurance premiums, joining all discussions with insurers and offering the necessary technical insight.
What do insurers want to know?
To get cyber insurance, a business will typically need to fill-in lengthy questionnaires and join discussions on where their biggest risks lie, where their most sensitive data exists and what the financial consequences of losing that data would be. Which is why it’s helpful for technical, cybersecurity professionals to be involved – either in-house experts for those that have the budget and resource for larger teams, or external security partners who will have a wealth of experience in this area.
As a baseline, the NCSC’s 10 Steps to Cybersecurity should be considered before even approaching an insurer. These guidelines present a good foundation for even small businesses, and without following these steps, insurance becomes impossible to secure. Insurers also put a big emphasis on identity management controls, multi-factor authentication and the encryption of data. While adopting one of these elements alone cannot guarantee the security of an organisation, the depth of defence if all are in place will generate that all important confidence from insurers. Other areas that will likely form the basis of discussions include:
- Incident response and business continuity planning – What playbooks and processes do you have in place in case your network is breached? How familiar is your team with these?
- Security monitoring – Does the security team have the capability to monitor, identify and mitigate attacks, 24/7/365?
- Protection measures – Which tools and controls are in place to stop a cybercriminal if one area fails, e.g., if an employee falls victim to a social engineering attack or clicks on a malicious link?
- Network architecture – What does the network infrastructure look like, where is data stored and how easy it is for threat actors to move laterally once they have breached the system?
Could rising premiums be a good thing?
It is possible that insurance has previously bred complicity, even laziness, of organisation’s cybersecurity. Insurance policies used to be seen as a ‘get out of jail free’ card, with teams relying on their cyber insurance policies as their entire security strategy, rather than engaging more proactive measures. Today, this is certainly not the case. To protect their networks and reduce their risk appetite and therefore premiums, businesses are needing to implement cybersecurity measures such as penetration testing or a Security Operations Centre (SOC), which help to thwart the risk of cyberattack. In this way, rising premiums could be seen as a positive move that will encourage better security.
The challenging world of cybercrime demands more proactive security from organisations. This doesn’t have to break the bank – by outsourcing a SOC, security monitoring and advanced threat detection are possible at a fraction of the cost of building the same capability in-house. With purse strings tightening ahead of a predicted recession, businesses need to improve their security posture efficiently and effectively in order to reduce the cost of insurance and better protect their data, their teams and their customers.