Considering Cyber Insurance? You Need a Solid Security Strategy
Cyber attacks have been growing exponentially in recent years, and with recent world events triggering the need for more money, ransomware and other attacks have increased to an all-time high. CybersecurityIntelligence.com reported that corporate cyber attacks rose by 50 percent in 2021, and according to an Allianz Risk Barometer survey published in Forbes, “The threat of ransomware attacks, data breaches, or major IT outages worries companies even more than business and supply chain disruption, natural disasters or the COVID-19 pandemic…” With that, many organizations are purchasing cyber insurance. Let’s talk about what cyber insurance is and what it typically covers, what it takes to qualify for it, and where you can get it.
What is Cyber Insurance, and Who Needs It?
Cyber insurance, or cyber-liability insurance, is a policy that protects organizations from the damage inflicted by cyberattacks and hacking. The goal of a cyber insurance policy is to mitigate the disruption to a business after an attack and cover as much of the financial cost associated with an attack as possible.
Different policy providers might offer coverage of different things, but generally cyber insurance coverage will be likely to cover the immediate costs associated with your organization falling victim to a cyber attack. Cyber insurance policies are designed to cover the aftermath of a ransomware, phishing, or other attack—typically including data recovery, system forensics (investigation and remediation to determine the cause and correct it), and legal defense around cases brought by customers impacted by the attack. However, it should not be assumed that your policy will compensate you for monetary losses.
Because nearly all organizations conduct some or all of their business online or rely on technology to conduct business, nearly every organization could benefit from getting a cyber insurance policy. Cyber criminals are mostly after data—personal data, intellectual property, or sensitive financial data are the most lucrative and therefore, more heavily targeted. There is also the potential for interruption to business as a result of ransomware attacks, which are also very lucrative. Consider the statistic from betanews.com, that cybercriminals have the ability to penetrate 93 percent of company networks, and you have another very good reason for cyber insurance.
How Do You Qualify for Cyber Insurance?
As with any area of coverage, insurance companies are going to expect you to take as many precautions as possible—and they’ll be looking for you to show you’ve done just that to reduce risk and liability. They’ll be most interested in how you’re protecting that valuable data listed above, not what you’re doing with your Word docs or spreadsheets. The safety and security of your data is what keeps them up at night because it’s ultimately what they will be responsible for should something happen.
It’s important to note that it’s going to be harder than ever to get cyber insurance. The Harvard Business Review reported that the huge increase of ransomware and cyberattacks translated to big payouts last year, with the average ransom payment increasing 82 percent from 2020 to 2021, so insurers are going to be very selective about who they cover. It’s important, then, to have every base covered before you start inquiring.
Here is what most insurance companies will look for before they write a policy for your organization:
- How well are your systems being maintained? Are you using patches? How often are you updating them? Insurers want to see that you have a clear procedure and are at a minimum applying security updates to your operating system and applications to ensure there is no back-door entry into these systems. We discuss this in detail in Protecting Your Business Against Security Threats with Good IT Hygiene.
- Do you have a solid data backup strategy? Even if you have a solid physical backup strategy, you will be in trouble if your physical building or data center are destroyed, your equipment is stolen, or your backup data is corrupted by ransomware. This is why many organizations are moving their data to the cloud.
- How well versed are your users in security and protecting themselves and the company from attacks? Do they know what to look for? Do they know what a phishing, SMS, or social engineering attack looks like? Do they know what to do/not to do? Do they know the procedures for physical security, like making sure the person coming in the door behind them doesn’t come through the door on their ID scan?
- A strong password policy is also very important—and also involves all your users. It’s not enough to have a password today; multifactor authentication provides an extra layer of validation to ensure the person logging in really is who they say they are and makes it harder for an attacker to compromise your environment. Passwords also need to be a certain length, have a certain level of complexity, and change regularly.
- Are your systems are being monitored 24/7? Most attacks don’t occur during office hours when everyone is there and watching. You should have an environment monitoring solution that will raise an alert, and you need a procedure for ensuring someone is listening for those alerts. The key here is to stop the threat before it spreads. One option is a 24/7 proactive monitoring service, offered by companies with expertise to not only watch for alerts, but to know what action to take.
- Do you have endpoint security management? This includes policies and processes that help with supervising and authenticating access rights of endpoint devices to a network to prevent threats due to exposure. It defines how users are allowed to access applications, which is determined by the company’s policies. Those policies are pushed up to every device the company allows to access its network.
The Cost of Cyber Insurance: Worth the Investment and Surprisingly Affordable
Most readers might think that cyber insurance is only for larger companies, but it can be affordable for any size company. It is also important to consider your exposure if you’re attacked when determining the value of an insurance policy. Cyber insurance can help with paying a ransom to get your data back, and your policy could cover mitigation and remediation after an attack. A cyber insurance policy is invaluable, not only through the financial assistance it provides, but also in that it can help you get back in business. Often, companies never recover from a cyber attack because they can’t afford to transact business anymore.
Let ArcherPoint Help You with Your Security
Today, regardless of whether or not you purchase cyber insurance, it’s wise to approach cybersecurity as part of your risk management strategy. Getting cyber-insured and protecting your business starts with a solid cybersecurity plan. At ArcherPoint, we have experience and can help you put a plan together and implement it.
To learn more, watch our webinar, Demystifying Cybersecurity, where we discuss endpoint management, password health, backups, end user education, and more. Then contact us to discuss your security needs.