By Niall McConachie, regional director UK & Ireland at Yubico
To mitigate the potential reputational and financial implications of a cyberattack, CISOs should always be aware of emerging trends across the cyber threat landscape. With cyberattacks becoming increasingly powerful and complex, more and more organisations are considering cyber insurance – either for the very first time or for expanded coverage.
However, cyber insurance premiums are also becoming more costly, by 150-300 per cent in some instances. When approaching an insurer, applicants must do their due diligence before entering negotiations for better premiums on policies that will pay out in dire circumstances.
Considerations before opting for cyber insurance
Most cyber insurers operate by assuming that data breaches are rare events, and only pay out in the most critical cases. However, reports reveal that over 81 per cent of UK businesses were targeted by at least one cyberattack within the last year. With the increased volatility and frequency demonstrated by today’s cyberattacks, insurance providers have also increased the costs of their premiums, needing to offset surges in customer policy pay-outs. Cyber insurance pricing in the UK has consequently increased by 20 per cent thus far, and is only expected to rise.
The value of cyber insurance should not be underestimated, as policies can be a determining factor in ensuring the continuity of a business. However, insurance policies only help to recuperate financial losses following a cyberattack and do not offer cybersecurity preventative measures. Therefore, it’s the customer’s responsibility to implement the measures needed to thwart an emerging attack from the start.
Insurance applicants with proof of robust protections already in place will be offered a lower premium than other applicants, as they are less likely to make a claim soon after. Therefore, organisations looking to take out cyber insurance coverage should first consider these six factors to successfully prevent a cyberattack from occurring.
- Protect the remote workforce
There are more employees working from home than ever before, on either a hybrid or fully remote basis. Subsequently, the decentralised security which resulted from these work models has caused the number of emerging attack vectors to soar. This has not been ignored by cyber insurers. Cybercriminals are not shy to prove just how advanced their attack capabilities truly are, with hackers no longer breaking in, but simply logging on via stolen login credentials. In fact, weak and stolen login details contribute to over 80 per cent of successful cyberattacks. Thus, CISOs must think beyond firewalls, web proxies, and data protection. Instead, robust multi-factor authentication (MFA) should be the way forward to ensure the protection of remote workers.
- Be aware of policy changes
With customer policies, cyber insurers will avoid paying out large sums – or at all, if possible. To prevent this, it’s important to document the downtime and all losses from the first instance of a cyberattack or security-related event. Insurance providers will also want to reduce losses of their own. In doing so, insurers may allocate items of a protection policy into specific categories such as identity protection, hardware and system replacements, ransomware pay-outs, and losses due to downtime. Before, these categories would have been offered as one customer package. However, nowadays, it is customary for these items to be separated. This prompts insurance agencies to spread the risk through reinsurers, making cyber insurance policies even more difficult to navigate as a result.
- Last-minute security initiatives
If an organisation needs cyber insurance quickly, there may not be enough time to go through a full round of security updates. Alternatively, organisations in these circumstances can implement quick cybersecurity initiatives to include in their applicant profiles. These last-minute initiatives can include improved cybersecurity measures, implementing MFA solutions, or enforcing business-wide cyber training.
- Execute a business-wide review
According to the US’s National Institute of Standards and Technology (NIST) Risk Management Framework, cyber risk evaluations must be scheduled regularly to review any internal and external threats. This process should incorporate a thorough assessment of all user permissions, including IT administrators and critical staff. It’s also important to decide what the most valuable data is and focus cybersecurity efforts on security breach cases that are most likely to occur.
Implementing business-wide MFA should be the minimum objective when performing a cybersecurity review. Following a thorough review, applicant organisations should share the detailed results with the insurer, as this will position the organisation more favourably to negotiate their coverage premiums.
- Passing the insurer’s requirements
Most often, cyber insurers will require a cyber vulnerability evaluation by applicants to assess any existing security gaps and other possible concerns. As global governments continue to implement additional cybersecurity regulations, the use of usernames and passwords will no longer be enough to pass minimum cyber insurer requirements or new de facto industry standards. Previously, the minimum applicant requirement was met with just a CISO’s signature to verify that standards were being followed. This is no longer the case as insurance companies now require more exhaustive processes – especially when it comes to higher-risk or higher-liability policies.
- Ensuring a policy pay out
It is important for applicants to follow best practices to ensure they have a complete understanding of what the insurance policy will involve and that their most critical assets are insured appropriately. Therefore, organisations should review all proposed insurance policies with the same amount of scrutiny as the insurer may have when assessing new customers.
Additionally, applicants should be wary of generic cyber insurance policies, as the insurer may have their own set of specific cyberattack scenarios, how they may occur, and what attack vectors they should be aware of. Here, enlisting the help of a qualified legal consultant familiar with cyber insurance policies can greatly benefit applicant organisations. With a consultant’s help, stakeholders can set their own specific cybersecurity vulnerabilities to be covered by insurance.
Organisations should only sign an insurance agreement with full confidence in their decision. Only once the specifics of the policy are understood and accounted for can the applicant organisation make an informed decision about which cyber insurance policy is truly right for them.