This blog is based on a recent interview with Florence Levy, EVP at INSUREtrust, a cyber insurance and risk management specialty broker. You can view the complete interview here.
Cyber insurance is an essential component of any risk management strategy, as no organization can bank on its cyber defenses being 100% invulnerable. It's also essential because even a successful defense against an attack can still result in significant costs. To mitigate risk, it makes sense to invest in financial protections as well as technical/operational ones.
Of course, cyber insurance is a complex field that can hardly be covered in a single blog or podcast, but here are three key cyber insurance concepts that will help every CISO make better informed decisions on coverage.
CONCEPT #1: What cyber insurance covers
Cyber insurance policies can vary considerably, depending on the needs of the insured and the underwriting policies of the insurer. Coverages can generally be divided into two categories:
First-party liabilities are those you may incur directly as the result of an attack and/or breach. These liabilities can include the actual financial harm done to your business such as the cost of business interruption, theft in the form of invoice fraud, payments made to ransomware actors in the form of cryptocurrency, and the expenses involved in restoring affected data and IT systems.
First-party liabilities can also include costs such as fees paid to breach consultants and cyber forensics firms, notifications to customers and other affected parties, and PR expenses incurred to reduce damage to your company's brand.
- Third-party liabilities are those resulting from customers, supply-chain partners, regulators and others. These liabilities can include direct demands for compensation, lawsuits, and financial penalties imposed by government agencies and/or trade associations.
CONCEPT #2: Cyber insurance premiums are based on multiple factors
Cyber insurance underwriters tend to have very different approaches to evaluating cybersecurity risk. Some of the factors they consider are “macro,” such as whether your organization is in a high-risk market such as health care or payment processing. But they also evaluate your organization's overall risk-worthiness to determine 1) whether you meet their minimum threshold of insurability and 2) how they should size and price the coverages they deem appropriate.
When shopping for cyber insurance, it's important to bear in mind that your organization won't be judged on its security controls alone. The most astute insurers will evaluate your overall cybersecurity posture, which includes:
- Prevention and preparation: All the controls, policies, and other obstacles you've put between your organization's assets and the full range of possible threat actors.
- Detection and response: All the telemetry, analytics, alerting, processes, and human talent you have in place to quickly discover, identify, and excise malicious activity in your environment.
- Recovery and resilience: All the measures you've implemented to minimize the financial impact on your organization if an attacker ever succeeds in inflicting actual harm.
Your organization's previous loss history will likely also figure into any underwriter's cost/coverage calculations.
CONCEPT #3: Optimizing your premium-to-coverage ratio
While the market forces that have been driving up cyber insurance premiums are beyond your control, you can take action to ensure that you obtain the most coverage for your organization at the least cost.
Key items that any prospective insurer is likely to review include:
- Comprehensive implementation of multifactor authentication (MFA)
- Extended detection and response capabilities, preferably from a proven provider who can deliver 24/7/365 coverage (XDR/MDR)
- Backups that are secure, encrypted, and continuously tested
- Best-practices management of privileged accounts
- Vulnerability management that stays fully up to date with critical patches
- Adversarial testing that validates your assumptions, exposes your shortfalls, and enables continuous improvements in your cyber defense posture
- Crisis/continuity planning that includes the business
- Digital hygiene education and testing for end-users to optimize their resistance to phishing and other social engineering
Above and beyond any such checklist, smart underwriters will be looking at how all the individual pieces of your cyber defense fit together to form a mature, cohesive strategy for mitigating the total risk to your business — and therefore, by extension, to them.
Because it can take some time to assess and improve your cybersecurity posture — and because the evaluation of that posture by an underwriter can also be somewhat involved — it's a good idea to start preparing for a policy renewal at least six months in advance.
It's also a good idea to look for an insurer who can act as a partner in your risk mitigation efforts with services that complement their policy coverage.