In today’s business world, cyber liability insurance has become a necessity for most, as a response to the growing frequency and severity of cybercrime. A cyber insurance policy is relevant for any company that stores or processes data and uses software for business operations, acting as a safety net should any breach or damage occur.
According to Hiscox’s 2022 Cyber Readiness Report, 64% of businesses now have cyber insurance, either as a standalone or combined policy, yet the rise in insurance premiums over the last few years has understandably been a cause for concern. By the end of 2021, 98% of companies were experiencing increases in insurance costs.
Despite this, however, demand for cyber insurance remains high, as companies of all sizes and sectors are recognising the need for broader security measures and better risk management in the face of the cyber threat.
Why are premiums rising?
Quite simply, cybercrime has been increasing significantly in recent years, with ransomware, phishing and other attacks all commonplace. Some reports found that 86% companies experienced a successful cyber attack in 2021 and these figures are can be expected to continue as attacks grow more sophisticated and frequent. Payouts can be costly, averaging at around $145,000 for small to medium sized businesses.
Ransomware attacks are one of the major causes of big payouts, with around 37% of organisations involved in such an attack last year. Bad actors will often demand large ransom payouts which the company’s insurance provider may have to cover. Although generally not advised by experts, Hiscox reported that 84% of US companies have paid their ransom demand in 2022. On top of this, ransomware attacks can result in business interruption, network issues and lost income, all of which an insurer may have to pay out. With so many claims made, providers have had to increase their premium rates to be able to cover these costs.
We have also seen an increase in other threats and vulnerabilities, for example, within the supply chain, brought to light by attacks like that of SolarWinds and Kaseya. Managing supply chain risk effectively is no easy feat and many companies leave themselves open to risk by neglecting to ensure all suppliers are compliant with minimum security standards.
The rise in cybercrime and heightened risk of policyholders, has not only forced insurance prices to surge, but has encouraged providers to re-evaluate their business models and scrutinise businesses on their cyber risk management more thoroughly.
This means it has never been more important for businesses to demonstrate to insurers the efforts made to combat the cyber threat. After all, preventative measures are the best approach to security. By investing in better cyber security, companies can reduce their risk of an attack, which in turn lowers the price of cyber insurance.
1. Good password management
The vast majority of cyber incidents involve stolen passwords and credentials, showing just how important good password management is for businesses. This means ensuring multi-factor authentication is switched on wherever available. Although a slight inconvenience, 99.9% of Microsoft enterprise accounts that are hacked do not have MFA, showing just how much of a difference it can make for the security of an organisation.
Other best password practices should also be followed, such as an 8-character minimum for passwords or implementing a blacklist for overused passwords that are easy for hackers to guess.
2. Ongoing risk management
Some kind of evidence of ongoing risk analysis and management is important for cyber insurers to see because the cyber threat landscape is constantly evolving – what was secure yesterday may be vulnerable today.
This could be demonstrated by regular penetration or vulnerability testing, whereby systems are tested for weaknesses that hackers may be able to exploit. Showing that you take action to assess your risks and address them will lower your risk profile and better your chances of reducing your insurance premium.
3. Data protection
Your data is a hugely important business asset and a lucrative target for hackers, who can make a good deal of money selling data or holding it for ransom. Effective procedures and solutions in place to protect this data will go a long way towards showing insurers that you’re actively trying to prevent and minimise the damage of a data breach.
With human error commonly at fault in a data breach, limiting people’s access to sensitive client and company data wherever possible is a must. A good rule of thumb is to only allow the level of access required for a person to carry out their job function, and nothing else.
This applies to both employees within an organisation and any third parties you may be sharing data with (this is how supply chain attacks can start). Any data that is being transferred, of course, should be encrypted to avoid hackers intercepting and stealing or misusing it. This is particularly pertinent for homeworkers, or indeed anyone accessing data outside your company network.
Another simple but essential task when it comes to securing data, is ensuring you have a plan in place in case something does happen to your data. This includes backing up regularly and storing at least one backup off-site. Storing a data backup in the Cloud is a popular option for many companies, offering flexibility and scalability as business requirements evolve.
4. Complying with security frameworks
Some insurers will offer discounts or reduced premiums if your business has aligned itself with a recognised security framework. These generally cover fundamental security controls and so compliance with such frameworks confirms that you are following best security practices and meeting sufficient standards.
Popular frameworks in the US include NIST or HIPAA and in the UK, the government’s Cyber Essentials scheme. Internationally recognised standards like the ISO series are also helpful for showcasing good information security management.
A focus on prevention
Purchasing cyber insurance is not an alternative to implementing security measures within your organisation. This misconception has been made clear as insurers become more selective with their coverage and premium rates, requiring certain standards to be met and existing risk managed before handing out policies. Insurers want to minimise the chance of any loss and reduce the risk of anything bad happening in the first place.
This shift towards prevention techniques should be a wakeup call for businesses yet to comply with the most basic cyber security controls. As cyber-attacks and insurance premiums continue to rise, implementing these controls must be the first port of call for businesses that want access to good coverage and lower insurance costs.