There has been a staggering surge in cybercriminal activities over the past few years, with a global increase of 38% between 2021 and 2022. The financial repercussions of an attack can be crippling, with an average cost of a single data breach reaching $4.45 million.
In an effort to cover their losses and keep up with demand, insurers have doubled or tripled premiums, reduced policy limits, and imposed strict terms and conditions, making reasonable insurance coverage harder to come by. Now, more than ever, it’s important for insureds to highlight the steps they are taking to defend themselves against cyberattacks.
To Lower Your Insurance Costs, Lower Your Risk
When it comes to reviewing any type of insurance submission, cyber or otherwise, underwriters are looking for insureds that are a “good risk.” In other words, they’re looking for individuals and businesses that are in a position to actively prevent and manage their losses.
With cyberattacks on the rise, underwriters want to see that their insureds consider cybersecurity a priority, not an afterthought, and that they are intentionally protecting themselves by implementing necessary cybersecurity measures.
Here are several ways you can make your organization’s cyber risk more attractive to underwriters and negotiate a lower insurance premium for your cyber plan.
1. Implement a Cybersecurity Framework
Cybersecurity frameworks are a set of structured guidelines, best practices, and standards designed to help organizations manage and improve their cybersecurity efforts. Several of the most commonly recognized and used frameworks include NIST, ISO 27001 and 27002, and SOC, although there are others. No framework is one size fits all, and the “best” framework for your organization will depend on your industry, business size, and type of work.
Adopting a cybersecurity framework signals to an insurance underwriter that you’re committed to cybersecurity and that you’re taking a verified, systematic approach to safeguarding your organization and your data. Be sure to document the steps you’ve taken to implement your cybersecurity framework and how that effort has measurably improved your security practices so you can submit that to your insurer.
2. Proper Password Management
Long gone are the days when we can use the same password for all our different logins. Proper password management is a fundamental and critical aspect of cybersecurity. It serves as the first line of defense against unauthorized access to digital systems, accounts, and sensitive information.
The average internet user has access to roughly 240 online accounts. That’s a lot of passwords to keep up with, and there’s no way most of us could remember more than a handful of them. This is even more difficult if you’re aiming to meet proper password guidelines — using numbers, special characters, and both upper and lowercase letters. Password management tools (like Dashlane, LastPass, and 1Password) provide a quick and convenient way to create unique, complex passwords and securely store them.
Password managers also make it easier for businesses to provide their staff with login details to accounts without having to share the actual password. This makes it simple to keep tabs on who has access to which accounts and to revoke access (say, when an employee leaves the organization) without having to change all of the passwords.
3. Implement Multi-Factor Authentication
Although good password practices are critical, they’re not enough on their own. Multi-factor authentication (MFA) is a necessary security measure that adds an extra layer of security beyond the traditional username and password combination. In fact, it’s so critical that most — if not all — insurance providers will require organizations to use MFA to even qualify for cyber coverage.
MFA enhances the protection of online accounts and systems by requiring users to provide more than one separate form — or “factor” — of verification before granting access. These factors fall into three different categories:
- Something You Know: This is typically a password or PIN that only the user should know.
- Something You Have: This involves a physical item or device that the user possesses such as a smartphone, smart card, or security token.
- Something You Are: This refers to biometric data unique to the user such as fingerprint or iris scans, facial recognition, or voice recognition.
4. Create a Documented Incident Response Plan
Although the goal is to prevent a security breach before it ever takes place, sometimes that’s just not possible. Proactively creating an incident response plan before disaster strikes helps organizations effectively manage and mitigate the impact of security incidents.
An incident response plan is a structured and documented set of procedures and guidelines that an organization follows when responding to and managing cybersecurity incidents. The primary purpose of this plan is to minimize the damage caused by an incident, reduce recovery time and costs, and restore normal operations as quickly as possible.
Demonstrating that your organization has a clear, documented response plan in place — and that your employees know how to follow it properly — gives an insurer confidence that you’ll be able to minimize damage and curb the cost of claims in the event of an attack.
5. Run Regular Penetration Testing
Penetration testing, often referred to as “pen testing,” is a cybersecurity practice that involves simulating cyberattacks on an organization’s systems, networks, or applications in order to identify vulnerabilities and weaknesses. The goal is to evaluate the security measures in place and assess how effectively they can withstand real-world threats.
Professional pen testers are experts in their field and knowledgeable about the most common hacking techniques, as well as new ways cyber criminals are attacking businesses. By maintaining a consistent pen testing schedule, you can demonstrate to your insurance provider that you’re proactively checking your security protocols for possible weaknesses and safeguarding your organization against emerging threats.
6. Conduct Regular Cybersecurity Training
The best security solutions, practices, and frameworks are pointless if no one actually uses or adheres to them. By investing in regular cybersecurity training, organizations empower their employees with cybersecurity best practices, knowledge of current threats, and an awareness of the importance of maintaining a secure digital environment.
Well-trained employees are less likely to fall victim to common cyberattacks like phishing, social engineering, or malware attacks. They’re also more likely to identify and report suspicious activities and respond to incidents in ways that minimize the impact of a breach.
Investing in regular training demonstrates an organization’s commitment to cybersecurity best practices. This commitment can lead to more favorable terms and lower premiums when negotiating cyber insurance policies because insurers recognize the importance of well-trained employees in reducing overall cyber risk.
7. Implement a Robust Data Backup Strategy
In the wake of an attack, data backups are key to restoring operations, minimizing company downtime, and curbing losses. This means investing in backup technologies and services that regularly (ideally daily) create and store complete data backups in a secured, off-site location.
By outsourcing your data backups to a third-party service provider, you’ll benefit from their ongoing monitoring, maintenance, and testing to ensure your backup protocols are running as they should. They’ll also take responsibility for purging obsolete backups, so you can feel confident that your data is always up to date.
Having a backup plan in place gives organizations — and their insurance providers — peace of mind knowing that lost data can be restored quickly and without extensive costs. In the event of a ransomware attack, for example, organizations won’t feel pressured to pay exorbitant ransomware demands or need to seek financial recovery for lengthy business interruptions.
Trust Cyber Insurance Experts with Your Business
Cyber insurance is a necessary form of protection against cybercriminals, enabling organizations to recover in the wake of a breach or attack. However, if you want to get the best coverage at the best price — and in some cases, get any coverage at all — you’ll need to demonstrate to insurers that your cyber risk management strategy extends far beyond just insurance.
Cyber insurance is not a generalist game. The world of cybersecurity insurance is rapidly evolving and responding to the new cyber threats that emerge each year. In this hard market, it’s vital to work with cyber insurance providers, like MiniCo, who understand the ever-changing landscape of cyber risks. Not only can we help you secure a cost-effective insurance plan, but we also can ensure that the plan adequately provides the coverage your business needs.
MiniCo offers an exclusive Cyber program for small and mid-sized businesses that provides critical coverage for costs resulting from a data breach and related expenses associated with the loss of data. Visit our Cyber Insurance program page for coverage details, program availability, contact information, and online application instructions.