Cyberattacks are on the rise, and businesses are increasingly turning to cyber insurance to help offset the costs of breaches. But the uptick in cyber incidents is also driving up cybersecurity insurance premiums. In the US, cybersecurity insurance premiums increased by an average of 79% between 2021 and 2022 alone, making it difficult for organizations to determine whether coverage is worth the cost.
Cybersecurity insurance can be a valuable tool for businesses, but before making a purchase, it is important to understand the factors insurance companies use to determine premiums, such as the likelihood of a cyberattack, the most common types of attacks in the organization’s industry, the quality of an organization’s incident response program, and its overall cyber resilience. With these in mind, an organization can take proactive steps to reduce its risk, making it more attractive to insurers.
The following five recommendations can help your organization reduce its level of risk and lower cyber insurance premiums:
1. Standardize on a framework
US cyber insurance companies must determine whether an organization has standard security practices in place. Standardizing on a framework such as the NIST Cybersecurity Framework allows you to demonstrate the maturity of your program.
Mapping to NIST enables your organization to:
- Perform third-party gap assessments that show your coverage level. While this is not an attested report, it often provides more value than the SOC 2 report because it assesses your whole program under the NIST framework rather than a small number of selected controls.
- Report on addressable metrics to demonstrate the overall maturity of your program, show that you track each incident, and have goals to reduce detection and response times.
- Show progress toward vulnerability management and present case studies that highlight your ability to identify, address, and remediate large (named) vulnerabilities across your company.
2. Demonstrate Cyber Resilience Maturity
Cyber resilience can be challenging to prove, but it is one of the top calculations used by insurance providers to assess your organization’s security posture. For insurers, it answers the questions, “Will we have to pay in the event of a cyberattack, or will our customer be able to recover their environment quickly with minimal impact to the business?”
To demonstrate cyber resilience maturity, your organization should:
- Show proof that all critical is backed up in an air-gapped environment and is RECOVERABLE.
- Provide examples of recovery exercises and their results.
- Share your full recovery times from recent exercises. Was the environment functioning within one hour, and was all data restored within 24 hours? Show a timeline.
3. Multi-Factor Authentication
There are varying levels for the deployment of multi-factor authentication (MFA) platforms. While nearly every company has at least one application utilizing MFA, finding 100% deployment is exceedingly rare.
Showing a commitment to MFA may help lower your premiums:
- Take MFA seriously, as Cyber Insurance clauses require a signature from the applicant’s CEO attesting to the use of MFA at multiple levels.
- Have a plan for preventing MFA compliance drift. As time goes on and the exception process breaks down due to complexity, third parties, and network architecture changes — a drift from full compliance can occur. Having and sharing your organization’s plan for preventing MFA compliance drift — for example, using continuous authentication or continuous adaptive risk and trust assessment (CARTA) — may help you maintain a lower premium.
4. Active Monitoring with Managed Detection and Response
Cyber insurers want to know that your team is capable of proactive detection and response. Some carriers now require 24-7 detection and response capabilities. You can reduce your premiums without putting extra pressure on IT by offloading to a Managed Detection and Response provider.
With a Managed Detection and Response service, your organization can:
- Demonstrate that it has a clear incident response process and lower the likelihood of being attacked.
- Rapidly detect and escalate attacks to a skilled security operations center (SOC) to help reduce the overall expense.
- Prevent insurers from bringing in their preferred cybersecurity partner as a condition of making a claim.
5. Negotiate Coverage
There are two major types of cyber insurance coverage: third-party liability coverage and first-party coverage.
You may choose to purchase either or both types of coverage.
- Choose first-party coverage to protect your company from expenses incurred from a data breach or when your company is hacked.
- Choose third-party coverage to protect your organization when a customer, vendor, partner, or other party sues you for allowing a data breach to occur.
Cyber liability coverage may spell out the types of incidents and damages they will pay for such as “ransomware insurance” or “data loss insurance.”
Cybersecurity risks are on the rise for businesses of all sizes and having insurance against these risks is becoming increasingly important. While cyber insurance can be expensive and difficult to understand, organizations can take steps to reduce their premiums by improving their cybersecurity practices and increasing their cyber resilience.
By implementing proactive solutions such as updating software frequently and investing in staff training, organizations can better protect themselves from malicious attacks. In addition, companies should consider incorporating artificial intelligence (AI) into their security protocols as a way to stay ahead of any potential threats. Doing so could enable them to more effectively detect and block attacks before they can do harm. Cybersecurity is critical in today’s business environment, and understanding your own risk profile is the key to success when it comes to preventing cyber crimes.
About the Author:
Ricky Allen is the Field CISO for CyberOne Security, an ISSA Fellow, and Past-President of the South Texas ISSA chapter. He holds certifications such as SABSA Security Architecture, CISSP, CISA, and Six Sigma. At CyberOne, Ricky provides security architecture design and leadership management for customers across the country. Ricky previously held roles at Accenture as an executive in their strategic information security consulting practice and at HP Enterprise Security Products as the practice lead for developing Security Operations programs for ArcSight SIEM products. Ricky was focused on retail and manufacturing industries while at PwC where he managed penetration testing and risk assessments for companies across the US. Ricky has presented at conferences such as BSides, Black Hat, API Cybersecurity, HOU.SEC.CON, SANS, SecureWorld, and Data Connectors. Ricky is based in Houston, TX and has a degree in Management Information Systems from Texas A&M University.