Companies and organizations of all sizes are increasingly looking to protect themselves from cyber related incidents. This includes both turning up the level of security protocols they have in place as well as well as adding the protection cyber liability insurance offers. Unfortunately, cyber liability insurance isn't as easy to get as it used to be nor is the cost the same as its been.
The number of harmful attacks on small/medium businesses continue to rise and at the same time, the cost of these attacks continues to increase. Cybercrime is expected to grow to $10.5 trillion by 2025 up from $3 trillion in 2015. A recent study showed that the average total cost of a data breach increased in one year by nearly 10% to $4.24 million, the highest ever recorded.
Some of the most frequent attacks include ransomware, CEO fraud, supply chain attacks, and stolen or hacked credentials that allow unfettered access to cloud applications, and other key data. The results are lost $'s, stolen or destroyed data, as well as the loss of computer systems availability - creating slowdowns or complete work stoppages.
And small organizations are not spared from these attacks. One of the reasons the cost to attack companies has fallen greatly is due to readily available malware kits that can be purchased on the dark web. As a result, getting money from smaller (less security savvy) companies has become more and more economically viable for these criminals.
More organizations are getting cyber insurance these days
The market for cybersecurity insurance is expected to grow by over 20% per year through 2031. The percentage of companies that currently have cybersecurity insurance varies by size of company, but the number who do have it has increased from 26% in 2016 to 47% in 2020. The number of cyber insurance companies grew by 35% from 2018 - 2021 proving the increase in demand.
- the average number of ransomware demands are up over a staggering 500% and actual payments have almost doubled!
insurance companies need to reduce their exposure
With the increase in cyber incidents and thus, the increase in cyber related claims, insurance companies only have two choices - drop out of the cyber insurance market or find ways to reduce their risk and increase their profits. They are doing this by:
- increasing insurance rates – which have recently increased by 30 - 40%
- reducing coverage limits especially for claims such as ransomware
- increasing cybersecurity insurance requirements to be accepted for coverage
This last item is the one that you can control the most and at the same time potentially reduce your cybersecurity insurance related costs.
current cybersecurity insurance requirements
The following are typical cybersecurity insurance company requirements that customers must attest to before being accepted for coverage. The requirements vary by insurance company as well as the size of company being insured, but the goal is the same - companies looking for coverage need to have some minimum security controls in place that address the highest likelihood of attacks (thus reducing the insurance company's risk). These include:
- A named security risk manager or security manager in your organization
- Regular and timely patching of software and automatic updates
- Strong endpoint security and Endpoint Detection & Response (EDR)
- Use of appropriate access control methods to protect critical systems, apps and data, such as:
- Multi-factor authentication (MFA)
- Least-privilege access policies
- Securing system administrator access to key data
- Securing 3rd party access to your systems
- Use of strong Password Management, etc.
- Backup and disaster recovery using cloud or off premise offline storage - and one that's regularly backed up and tested to make sure it can be restored
- Have Financial controls in place to verify funds transfer and access change control requests in place
- At least 2 people review and authorize
- Data protection methods for personal or other private information (such as encryption, network
- Compliance with specific security regulations that you are subject to because of your industry, customers etc.
- Use of network security methods such as network segmentation and firewalls to protect key data
- Email security
- Employee management policies to control account access
- Active security monitoring IT systems (SIEM monitoring)
- Employee security training and testing program
- Written incidence response plan
- Written privacy & data security policies
These are but a few of the cybersecurity standards insurance companies are now requiring their clients to have in place before they will issue a policy. And while most insurance companies currently use self-attestation to say these are all in place, it will be soon enough that they will be requiring a professional IT service company to review and confirm these standards are, in fact, in place.
What is clear is that the level of cyber protections needed aren't something most organizations can implement and keep current by themselves. This is a job for a professional MSSP (Managed Security Service Provider) to ensure everything is done efficiently, effectively, and dare I say - correctly.
FPA has worked with our clients for years to help ensure not only that their IT is well protected, but also that they're in the appropriate place to take advantage of cyber liability insurance protection as well. And without a doubt, in today's technology climate cyber liability insurance is definitely a "must have". The question is - are you doing everything you can to ensure you properly quality for it?
That said, here are some additional resources to check out:
- 4 Tips for Buying Cyber Liability Insurance
- 7 Things You Should Know About Cyber Liability Insurance
- The Importance of Cyber Liability Insurance
Do you currently have a cyber liability insurance policy or are you currently considering adding this to your organization's protection? Please share your thoughts in the comments section below, or send me an email if you have any questions or wish to discuss this in more detail.