Empowering policyholders to mitigate their own cyber risk
Today's businesses need to address security issues before applying for cyber insurance.
It’s clear that cyber insurance is becoming more essential for organizations. But in order for an insurer to take an organization on as a client, the potential insured must first show that good security controls are in place. Otherwise, they’ll face astronomical premiums — if they’re able to get coverage at all.
Policyholders are taking this into their own hands and being proactive about improving their cybersecurity posture in order to further protect themselves from hacks, or better yet, prevent attacks from occurring in the first place.
Businesses need to address security issues before even applying for cyber insurance. This is a matter of insurability. A provider is unlikely to agree to knowingly insure a company and take on risk when there are gaps in security protocols, as that makes it more likely that they will need to pay out their coverage during the term of the policy. The cost of cyber insurance has doubled and in some cases even tripled in the last year, so businesses lacking in security protections will face even steeper premiums if their issues are not addressed.
This process also empowers security teams to push their boards for the extra funding they may need to resolve outstanding vulnerabilities and reinforce the urgency behind addressing the issues. With external consequences and a potential impact on the business’ bottom line at stake, leadership teams are facing the unappealing prospect of being uninsured against cyber attacks, therefore increasing the priority of resolving vulnerabilities within the organization as opposed to leaving them as a task on the backburner.
Common issues
The most common issues that need to be addressed include not having an incident response or backup plan and lacking basic security training for employees. Creating and communicating incident response plans, testing backups, training employees to recognize security threats like phishing attempts, patching existing security issues, and maintaining a better inventory of digital assets all allow companies to be better prepared against attacks, making them more insurable and desirable customers for cyber insurance companies.
Other weak areas can be addressed by establishing a primary point of contact for security. That person can help lead the efforts to improve vulnerabilities with the security teams and IT. Some companies also offer assessments for potential policyholders to identify the issues that should be resolved before applying for coverage, and benefits like credit to customers who have preventative measures in place.
Provider considerations
When selecting a cyber insurance provider, an organization should be mindful of finding a provider that offers not only third-party liability coverage, which historically has been the only type of coverage available, but also first-party loss and first-party expense coverage to help the business recover from an attack. Additionally, depending on the type of business, there may be other types of coverage available, such as manufacturing-related coverage, to provide more industry-specific protection.
Demonstrating a continued commitment to improvement
Once insured, organizations need to continue to be mindful of new and emerging risks, and show continual security improvements. By doing so, they will open themselves up to more coverage options from their insurers. They must also remain cognizant of the state of their own digital footprint, as any change to this, including implementing different workplace collaboration tools or hiring a new remote employee, can result in new security vulnerabilities and risks. However, if an organization demonstrates a continued commitment to improving its risk profile, when it comes time to renew their policy, they will find they have better options.
It’s important for businesses to recognize that risk is changing all the time. But the risks that cyber insurance covers, and the cyber insurance industry itself, are also expanding as a result. The field is growing at a rapid pace, with demand at an all-time high and organizations realizing that coverage is no longer optional. In the face of an evolving threat, providers are offering continuous risk assessment and continuous underwriting to help organizations get ahead of future vulnerabilities, which companies should use to their advantage to ensure they remain protected moving forward.
Isabelle Dumont (isabelle@cowbellcyber.ai) is senior vice president of marketing and technology partnerships for the cyber insurance provider Cowbell Cyber.
See also: