As Russia looks set to ramp up its cyberattacks on the United States, companies and their founders should be asking themselves: Do we have adequate cybersecurity insurance? Do we even have cybersecurity insurance? The answer to both should be yes.
No organization today is spared from malicious system breaches, and the threats are accelerating. Recently, President Biden warned all U.S. companies to tighten their defenses, citing new intelligence about Russian-backed cyber threats. This comes after ransomware attacks in North America rose 104 percent last year.
Additionally, the acceleration of global digital transformation requires insurance protection. Not only do some vendors require it, but cyberattack recoveries are getting costly. Companies must pay ransoms, as well as shouldering the expenses of returning to normal operations, brand repair, and more.
Yet even if you carry coverage, retaining it isn't guaranteed. Cyberattacks are becoming so frequent and so expensive that insurers are dumping existing customers, re-evaluating risk metrics, and setting high bars for new customers. All the while, insurance companies are hiking premiums at alarming rates.
Here are some ways to convince an insurer that you're worth the risk -- and keep costs as low as possible:
What you need to qualify.
The first step is assessing your three estates: your company's enterprise network, your public cloud assets, and your remote operations.
In all three estates, insurers will seek gaps in software and infrastructure, weak devices and systems. Too many cracks may render you uninsurable. They'll also want to know your security around privileged user access: There's a hot market for stolen admin credentials, and a majority of ransomware was successful because of compromised admin credentials. Ask yourself: Are your cybersecurity tools defensive or do they offer true protection?
Insurers will examine your people and processes: If you're a 10,000-employee company with a couple of cybersecurity experts, or if you have meaningful turnover, you're a risk. The same goes for inadequate incident response and disaster recovery plans. According to IBM, the average cost of a data breach last year was $4.24 million. That's the kind of number that can make insurers very selective.
If you're found wanting, you're not only a greater breach risk, you'll also take longer to get operational again. Customers are more likely to sue. Furthermore, not all costs will be covered. For example, Black Baud disclosed over $6 million in recovery costs of which only about half was covered by cyber insurance.
How to keep your insurance.
Your top fear should be overconfidence. You may have invested in expensive security platforms. You may have conducted red team exercises that show you're impenetrable. But these aren't guaranteed. Remember that the Equifax breach was successful because of the delay in installing the patch. The Colonial Pipeline was taken down by an easy-to-crack password.
By their very nature, hackers are probing for weaknesses you've overlooked. Even red team attacks only address a certain period and set of circumstances. In reality, you have to apply greater rigor to keeping your insurance than when you qualified for it. It's imperative to establish a rhythm of communication and assessment with your carriers between renewals, for example, to determine the impact on indemnity as you invest in cybersecurity tools. Both the insured and the insurance provider need to learn from each other.
Any lapse -- especially one deemed obvious -- could intensify your insurer's scrutiny. (It'll also increase your premiums and your deductible). If your renewal is dropped, word spreads quickly. Other insurers will want to know who covered you previously and why you were disqualified.
Lowering your premiums.
Start with an all-hands-on-deck approach to mitigate higher cyber insurance premiums and keep your insurers happy. Show that your CEO is involved in tabletop exercises and that your board is engaged. Demonstrate that you have continuity in trained staff.
Ask your insurers what tools, controls, or processes you could add to reduce premiums. This requires working with them well before the next renewal.
Make a case for your lessened risk, if there is one. If you're a 50-bed hospital in upstate New York, you're not nearly the treasure to cyber-criminals that the Mayo Clinic is. Gathering comparables within your industry could be an argument for reductions.
People relations matter too: Get to know your broker and build a strong relationship. He or she will help you find carriers that align with the security posture, risk mitigation, and economics you seek.
It's uncertain how the Russia-Ukraine war will factor into all this. Premiums were already skyrocketing before the conflict. But cyberattacks are increasing, and so will insurance costs. As premiums climb, there's a temptation to go with bare-bones coverage.
Business partners and supply chains now demand you carry cyber insurance. Consider it a cost of doing business in the internet economy. After all, cyberattacks have put entire companies out of business, both large and small. But no matter what policy you have, it's also vital to remain proactive, doing everything you can to keep your systems safe and your costs as low as possible.