What a CISO needs to know about cyber insurance

Cyber insurance has become essential to any risk management strategy, as no organization can bank on its cyber defenses being 100% invulnerable. It’s also essential because even a successful defense against an attack can still result in significant costs. To mitigate risk, it makes sense to invest in financial protections and technical/operational ones.

Of course, cyber insurance is a complex arena that can hardly be covered in a single blog or podcast, but here are a few key concepts that will help every CISO make better, informed decisions on cyber insurance coverage.

What does cyber insurance cover?

Cyber insurance policies vary considerably, depending on the insured’s needs and the insurer’s underwriting policies. Coverages can generally be divided into two categories:

• First-party liabilities are incurred directly due to an attack and/or breach. These liabilities can include financial harm done to your business, such as the cost of business interruption, theft in the form of invoice fraud, payments made to ransomware actors in the form of cryptocurrency, and the expenses involved in restoring affected data and IT systems.

First-party liabilities can also include fees paid to breach consultants and cyber forensics firms, notifications to customers and other affected parties, and PR expenses incurred to reduce damage to your company’s brand.

• Third-party liabilities result from customers, supply-chain partners, regulators, and others. These liabilities can include direct demands for compensation, lawsuits, and financial penalties imposed by government agencies and/or trade associations.

How are cyber insurance premiums determined?

Cyber insurance premiums are based on multiple factors. Underwriters tend to have very different approaches to evaluating cybersecurity risk. Some factors they consider are “macro,” such as whether your organization is in a high-risk market such as healthcare or payment processing. But they also evaluate your organization’s overall risk-worthiness to determine 1) whether you meet their minimum threshold of insurability and 2) how they should size and price the coverages they deem appropriate.

When shopping for cyber insurance, it’s important to remember that your organization won’t be judged on its security controls alone. The most astute insurers will evaluate your overall cybersecurity posture, which includes:

Prevention and preparation: All the controls, policies, and other obstacles you’ve put between your organization’s assets and the full range of possible threat actors.

Detection and response: All the telemetry, analytics, alerting, processes, and human talent you have in place to quickly discover, identify, and excise malicious activity in your environment.

Recovery and resilience: All the measures you’ve implemented to minimize the financial impact on your organization if an attacker ever succeeds in inflicting actual harm.

Your organization’s previous loss history will likely also determine an underwriter’s cost/coverage calculations.

Optimize your premium-to-coverage ratio

While the market forces driving up cyber insurance premiums are beyond your control, you can take action to ensure that you obtain the most coverage for your organization at the least cost.

Key items that any prospective insurer is likely to review include:

• Comprehensive implementation of multifactor authentication (MFA)
• Extended detection and response capabilities, preferably from a proven provider who can deliver 24/7/365 coverage (XDR/MDR)
• Backups that are secure, encrypted, and continuously tested.
• Best-practices management of privileged accounts
• Vulnerability management that stays fully up to date with critical patches
• Adversarial testing that validates your assumptions, exposes your shortfalls, and enables continuous improvements in your cyber defense posture.
• Crisis/continuity planning that includes the business.
• Digital hygiene education and testing for end-users to optimize their resistance to phishing and other social engineering.

Above and beyond any such checklist, smart underwriters will be looking at how all the individual pieces of your cyber defense fit together to form a mature, cohesive strategy for mitigating the total risk to your business — and, therefore, by extension, to them.

Because it can take some time to assess and improve your cybersecurity posture — and because the evaluation of that posture by an underwriter can also be somewhat involved — it’s a good idea to start preparing for a policy renewal at least six months in advance.

Follow Plow Networks: Twitter, LinkedIn, Facebook, and Instagram