By Paul Cragg, Chief Technology Officer, NormCyber
The need for cyber insurance has never been greater, with the landscape shifting dramatically year upon year. A report from the UK Government estimated that UK businesses have experienced approximately 7.78 million cyber crimes in the last 12 months, up from 2.39 million instances in the year prior. However, the cyber insurance landscape is notoriously difficult to navigate, and it can be a challenge for organisations to secure optimum insurance that doesn’t cost the earth.
Cyber insurance contributes towards the costs of data recovery, legal fees, regulatory fines, and business disruption. Without this insurance, the significant operational impact of cyber incidents – not to mention damage to organisation’s reputations – can have damning consequences on a businesses’ finances and ability to recover after a cyber attack.
So how can financial services organisations ensure they present an attractive, low-risk case for cyber insurance?
A tug-of-war: Challenges facing insurers and organisations alike
A plethora of complexities face the cyber insurance industry, all contributing to uncertainty.
As technology continues to advance and cyber attacks increase in severity, attackers learn increasingly sophisticated ways to bypass security systems and leverage tools such as artificial intelligence and zero-day vulnerabilities. As a result, cyber insurance premiums have been pushed to breaking point.
In addition, the absence of any standardised process for measuring cyber risk and determining premiums, combined with the unpredictable nature and speed at which cyber threats continue to develop, make it extremely difficult for insurance providers to map ahead and set clear. This lack of certainty has created a climate of cautiousness, with many insurance providers tightening their coverage areas – for example, by excluding nation state attacks from policies.
On the other side of the coin, finservs are also affected by the lack of clear ‘cyber health’ benchmarks. Mindful that they could be targeted by criminals, many businesses want to be as prepared as possible, but knowing where to start – especially when there is no set structure to follow – can make it difficult for them to determine just how eligible they are for good cyber insurance cover. Other companies may find themselves priced out of the market when the time comes to renew their existing policies, thereby increasing their exposure to risk.
Fail to prepare, prepare to fail: How finservs can present their case for coverage
As the nature of cyber threats continues to evolve, there is a larger emphasis being placed on organisations to bolster their defences. Insurance providers will look for evidence of minimum baseline controls set in place before an organisation can even be considered for coverage.
Primarily, financial services organisations should concentrate on strengthening their cyber security postures, implementing endpoint protection, firewalls, and staff training. Businesses that take a more proactive stance, for example, by prioritising continuous monitoring and establishing robust incident response protocols, will find it easier to demonstrate a satisfactory level of preparedness to insurance providers.
Additionally, cyber insurance policies require strict compliance to regulatory demands. Insurance providers evaluate a company’s risk profile when assessing their insurance needs. By taking the time to ensure that GDPR and EU/UK data protection policies are up to date, finservs can work towards lowered insurance premiums.
Financial services organisations may find it beneficial to enlist support from managed security service providers (MSSPs), which have extensive experience in the processes and best practices that go into securing comprehensive cyber insurance. These third-party organisations can provide empirical benchmarks and in-depth insight on organisations’ current cyber postures, conduct assessments that identify their risk exposure, and help guide them in plugging any gaps in their defences. This comprehensive course of action should enable finservs to qualify for their insurance policy of choice, faster and more easily.
The road to clarity
Prevention is always better than cure, and the cyber security industry embodies this adage. By taking precautionary measures that proactively monitor for and defend against threats, whilst investing in quality security training for their staff, finservs can instil effective barriers against threat actors and keep their insurance premiums low.