How to get cyber insurance – what mid-sized organisations need to know
Securing cyber insurance coverage is a top priority of many mid-sized organisations today. It’s easy to see why. As cyber security threats and data protection risks continue to proliferate at an unprecedented rate, more and more businesses are rightly asking, “what will happen when – not if – a breach occurs?”
Cyber insurance is not a silver bullet to all these woes, but it does provide a significant safety net to organisations that have already achieved a basic level of cyber resilience. Yet, in recent years, the trend has been the reverse: businesses have been seeking insurance as a sole method of protection, which in turn has caused insurers to re-evaluate the level of risk they’re prepared to underwrite. This has led to insurers raising their premiums, constricting coverage areas and requiring organisations to jump through more hoops than ever before.
Mid-sized organisations are in a disadvantaged position in this market. Since they often hold vast amounts of data, their information security needs (which are closer to that of fully-fledged enterprises) tend to outstrip their in-house capabilities. Cybercriminals know this and see the mid-market as a lucrative target for devastating cyberattacks – particularly when their victims operate within complex supply chains. The same issues also make it more difficult for them to obtain cyber insurance coverage. But there is no reason to be discouraged – with the right approach, mid-sized organisations can quickly qualify for the policy of their choice without breaking the bank.
The cyber insurer’s point of view
Before any strategy can be formulated, businesses need to think with the head of the insurer. The most important thing to note is that insurers can spot vulnerabilities from a mile away – whether that’s a lack of employee security awareness training programmes, poor data security and business continuity processes, or a mismanagement of technology assets. They expect companies to exhibit good cyber health credentials across all three areas: people, process and technology.
As a minimum, insurers look for:
- Multi-factor authentication (MFA)
- Segmentation of systems
- Offline or isolated backups
- Recovery plans tested regularly
- Rapid patching, especially for high critical vulnerabilities
- Email security
- Investment in cybersecurity awareness training
- Documented incident response plan with a defined and educated incident response team
A more sophisticated programme goes beyond this to include endpoint detection and protection, 24/7 network monitoring, data encryption and regular penetration testing – and even then, we’re only scratching the surface.
The limitations of cyber assessments
Clearly, assessing what ‘good’ cyber resilience looks like is not a straightforward process – and since no two businesses are the same, there are no one-size-fits-all approaches. Indeed, not even cyber insurers themselves can know for certain the level of risk posed by companies’ lack of preparedness.
Unlike other industries, cyber insurers operate in a loosely-defined risk landscape. While the general threat is always there, predicting the time or source of a cyberattack is near-impossible, and the collateral damage is expansive, with stolen data sold and circulating on the dark web for years. This explains why insurers are treading with trepidation around building reputational damage into their cyber packages. To build a convincing case for coverage, candidates must now demonstrate comprehensive capabilities to pre-empt and prevent a vast array of threats.
A well-trodden path many choose to prove their credentials is conducting standard business impact assessments. However, when these tests return an unsatisfactory result, organisations are none the wiser regarding how they can plug weaknesses and bolster their cyber defences. A couple more costly reassessments and their cyber insurance budget is so depleted they have no choice but to sink back into inertia.
Self-assessments, on the other hand, can be misleading – similarly, due to a lack of clear ‘good’ and ‘bad’ benchmarks against which companies can measure their own cyber resilience. This is where an outside perspective can be useful.
How MSSPs can help with cyber insurance
Managed security service providers (MSSPs) occupy a unique place between cyber insurers and potential candidates. Their experience of working with a plethora of organisations – which share common pain points – equips them with a unique perspective and expertise to accurately gauge organisations’ cyber health and provide benchmarks for improvement. In this way, they are like the ‘black boxes’ of the cyber insurance sector.
Most importantly for the mid-market, MSSPs can manage a continuous testing and improvement programme affordably. They can ask the right questions, regularly assess organisations’ people, process and technology controls, train staff to be cyber-aware, carry out penetration testing and guide businesses through every step towards reaching the required level of cyber resilience faster.
Cyber insurers will also look more favourably at candidates that already have MSSPs by their side, particularly if this means they can access much-needed empirical data about the cyber health of the business. Such a ‘cyber resilience score’ provided by MSSPs can then go a long way – helping insurers make better-informed decisions as they navigate the increased demand for their services.
A final word of warning
While cyber insurance is becoming an essential business investment, the only real insurance policy is to have your house in order. This is the advice of the National Cyber Security Centre and will be echoed by every organisation that has tried and failed to run before they could walk.
The days of using cyber insurance as a sole mechanism to transfer cyber risk are gone, and cyber insurance alone won’t shield the victims of cyberattacks from reputational damage or regulatory fines. In an evolving threat landscape, mid-sized organisations must now have the right foundations in place and experts by their side to prepare their cyber defences for any scenario.