5 factors contributing to company cyber risks
Conducting a risk assessment can help companies lower their cyber insurance premiums as threats increase.
Cybersecurity concerns have moved well beyond the offices of security teams and have now entered leadership meetings and boardroom discussions. Cyber is rated as the number one business risk facing industries today according to a PwC survey. As hacking, cyberattacks and data breaches escalate, more and more companies are looking to insure themselves against a cyber catastrophe and secure themselves financially. But obtaining cyber insurance is known to be difficult and more expensive today than it was ever before. If cyberattacks continue to escalate as they have been, chances are that premiums will ride shotgun and follow suit.
That said, there are cyber strategies insurers and organizations can follow to improve their eligibility for cyber insurance, agree to more favorable terms, lower premiums, and maximize the value they can receive from their cyber policy. But before we move on to those things, we must first understand the main factors contributing to cyber risk.
5 major factors contribute to cyber risk
Cyber risk evolves constantly, owing to rapid changes in technology, connectivity and the overall threat landscape. Here are five main factors contributing to cyber risk:
- Size and nature of the business: Some industries are more vulnerable to cyberattacks than others. Manufacturing, financial services and healthcare are attacked more frequently, filing the lion’s share of insurance claims. Some industries house more sensitive data, thus attracting more attention from cybercriminals. Attackers can either sell this data in underground markets on the dark web or use it to hold the victim hostage and demand a ransom.
- Vulnerabilities: Vulnerabilities are weaknesses or flaws in systems or processes that attackers can exploit and leverage to their own advantage. Unpatched vulnerabilities are one of the most common methods used by ransomware attackers to hijack systems. The larger the business, the more vulnerabilities there are and therefore, the more challenging it is to monitor the environment for loopholes and weaknesses.
- Third-party partner risks: Most businesses outsource a portion of their business function or operations to optimize costs or enhance operational efficiency. This expands the attack surface, increasing the potential for supply chain attacks and third-party breaches from partners that don’t comply with security best practices.
- Compliance mandates: Data privacy is a top concern for consumers and local governments everywhere. Failure in fulfilling a compliance mandate can result in cyberattacks, data breaches and class action lawsuits.
- Security awareness: Studies show that a majority (82%) of cyberattacks and breaches involve the human element. Attackers frequently exploit employees through social behaviors (judgment errors, biases, negligence, carelessness, apathy, etc.) to successfully carry out social engineering attacks and bypass security controls. The absence of policies, procedures, planning, tools and training has major implications for cyber risk.
Insurance premium and coverage Is directly proportional to cyber risk
Just as an individual’s age, underlying health conditions and history of ailments have a direct impact on their insurance premium, the degree of cyber risks present in the business and the levels of demonstrable defenses it has in place has a direct relation to cyber insurance premiums.
In other words, the greater the cyber risk, the greater the insurance cost. Conversely, the better your security defense, the cheaper your cyber insurance premium and the better your coverage terms.
Keeping risk in check is key to reducing premiums and settlements
Given the challenging market conditions for cyber insurance, it is advisable that businesses undergo a thorough cyber risk assessment to identify weak spots and implement security controls immediately to reduce risk factors.
Studies indicate there is no stand-out priority area for insurers and that insurers expect organizations to implement security across the board. There are a range of security assessments and audits all organizations should consider:
- Data assessments (discovery and classification of data, its sensitivity, location and security controls);
- Vulnerability assessments (identification and prioritization of security vulnerabilities across the organization);
- Compliance assessments (gap analysis against industry-accepted standards or frameworks);
- Third-party assessments (identification and prioritization of third parties based on risk);
- Network, cloud and application assessments (security posture review of on-premise IT infrastructure, cloud environments and SaaS or third-party applications);
- Security awareness assessments (review of security awareness within employees).
It is also advisable that organizations run penetration tests to test defenses against real-world attack scenarios.
To summarize, negotiating insurance premiums and risk coverage with cyber insurers requires organizations to present tangible data that demonstrate compliance with cybersecurity standards and effectiveness.
Risk assessments can serve as a great tool for supplying evidence to insurers that the organization is high on cybersecurity maturity and low on cyber risk.
Michelle Drolet is CEO of Towerwall, a specialized cybersecurity firm offering compliance and professional onsite services with clients such as Foundation Medicine, Boston College and Middlesex Savings Bank. Towerwall focuses exclusively on providing small to mid-size businesses customized cybersecurity technology programs. Reach her at michelled@towerwall.com.
Related: