Cyber insurance playbook: How to strengthen security posture
Cyber insurance carriers are demanding that their clients do more to protect themselves against attacks.
Cyber insurance is mission-critical to protect nearly every business, especially as today’s organizations face unprecedented risk. And with the average cost of a ransomware attack hitting $4.5 million in 2022, insurers are demanding that their clients do more to protect themselves against attacks.
Because of this, cyber insurance premiums are becoming increasingly expensive, with tighter underwriting requirements and more policy exclusions. In fact, only 55% of organizations in North America held cyber insurance policies in 2022, and a mere 20% have ransomware coverage exceeding more than $600,000.
As prospective policy holders prepare to face the rising security standards set by cyber insurance carriers, organizations can take matters into their own hands and prepare their business with adequate security controls. By focusing on the areas that insurers assess the most during underwriting, organizations can go beyond checking the boxes needed to obtain coverage while reducing their company’s overall risk.
Strengthen security posture
Securing cyber insurance takes a team and strategy. Strong security posture management and measurement is a foundation for attaining the best policies at the most affordable rates. Companies that are better at managing cyber risk and robust security controls will qualify for the best cyber policies. As insurers step up their cyber risk assessment during the approval process, be prepared to provide proof of cybersecurity practices.
When examining an organization’s security posture before issuing a policy, insurers have a shortlist of three factors that indicate whether a business is sufficiently secure. Before an organization buys or renews cyber insurance, it must place increased emphasis on these areas:
- Endpoint security: Tracks identification points extracted from metadata related to the operating system, web browser and active plugins. Endpoints can create entry points to organizational networks that cybercriminals can exploit.
- Patching cadence: Analyzes how quickly an organization installs security updates to measure vulnerability risk-mitigation practices.
- Network security: Checks public datasets for evidence of high-risk or insecure open ports within the organization network.
All of these factors are well within an organization’s control, empowering them to proactively mitigate overall risk and elevate their security posture to a higher level of resilience.
Boost cyber resilience
Along with prioritizing the factors above, organizations should prioritize investments that bolster their security posture and increase the likelihood of obtaining a cyber insurance policy. By focusing on these factors, a company can reduce its cyber risk, potentially resulting in a lower premium.
- Quantify security risk: Security ratings provide quantifiable, easily understood, measurable performance indicators. Security leaders can leverage these metrics during executive-level or board meetings to support budget justifications and showcase the value of security investments. Additionally, security ratings can be utilized with enterprise risk managers to demonstrate the insurability of their organization during the cyber insurance procurement process.
- Implement continuous monitoring: Security ratings offer a dynamic, real-time perspective of an organization’s cyber risk. As controls associated with the factors listed above are implemented or pertinent issues are addressed by an organization’s security team, the elements will immediately reflect improvements.
- Establish an incident response plan: Ensure there is a well-defined strategy to demonstrate to cyber insurers that the security team is ready to respond to incidents and minimize risks promptly. The first 24 hours following a breach are crucial, necessitating immediate action to halt further losses, address lingering vulnerabilities, and swiftly inform all impacted parties.
It is key to remember that cyber insurance is not a replacement for risk management and that policies are not a one-size-fits-all solution. And as cyber insurance claims continue to soar, organizations are now required to prove their security maturity and measure risk to qualify for the best cyber policies.
By creating a collaborative effort and a strategic approach to the factors outlined in this article, organizations can optimize their cybersecurity investments and allocate resources effectively to identify, respond, and recover from cyber incidents.
Andrew Correll is director of Insurance Solutions at SecurityScorecard.
See also: