The recent attack on the Colonial Pipeline made everyone aware of just how fragile cybersecurity can be. But companies who deal with it on a daily basis have always known it’s a serious threat. The problem is, that as the threat levels increase, insurance companies are beginning to make serious changes to the way they cover cybersecurity attacks. Businesses are paying more and getting less.
What is Happening in Cybersecurity Insurance?
Cyberattackers are becoming increasingly sophisticated and increasingly bold with their demands. According to InformationWeek, more than 60% of companies faced ransomware demands following a cyberattack in 2020. It isn’t just large companies affected either, between 50% and 70% of the companies attacked were small to medium-sized businesses. As a result, the number of claims being made to cybersecurity insurance companies is up, and the amount that is paid out for each is increasing as well. In an effort to stay afloat, many insurance companies are raising their rates.
For insurers still in the business, premiums are up 30% on average. However, many insurance providers are deciding that cyber insurance simply isn’t worth the hassle. As more insurers decide that the math just doesn’t add up to insure against cyberattacks, supply shrinks as demand grows. The resulting market forces exacerbate the already increasing cost of insurance.
Those insurance companies still offering insurance against cyberattacks need to find other ways to offset their costs. One way they are attempting to do this is by increasing the security requirements that businesses must meet to qualify for a policy. They are also becoming more proactive about verifying the required security measures are in place.
Cybersecurity insurance mandates increasing
The Cybersecurity & Infrastructure Security Agency (CISA) sees the increased mandates by insurance companies as a good thing. Too many companies fail to take the threat of cyberattacks seriously enough, which is part of what’s growing the rise in such attacks. In addition, they’ve recommended a cyber incident data repository, where affected businesses and insurers can share data about security breaches. This would provide valuable data for cybersecurity researchers, but would also provide better risk assessment data for companies deciding on the best course of action for their cybersecurity efforts.
In an effort to focus efforts on increased cybersecurity, the White House held a cybersecurity summit that included members from four insurance firms. Each of these firms - Travelers, Coalition, Resilience Cyber Solutions, and Vantage Group - offered a commitment to increasing both cybersecurity requirements and awareness of best practices in the field. Vishaal Hariprasad, CEO of Resilience, expressed concern about dropping coverage for business though, as doing so may externalize the threat to the public and other innocent victims.
Steps to take to reduce premiums
Companies that offer cyber insurance are doing what they need to do to keep themselves in business and to promote a more secure cybersecurity framework. Businesses, whether they are consumers of cyber insurance or not, also have a role to play. By proactively increasing security steps, attacks across the board can be lowered, and insurance premiums can come down to reflect a more certain security landscape. Here are some concrete steps your business can take to play its part:
1. Stop thinking about security as a checklist
It’s easy to think of security as just a list of boxes to check off. This is especially true if it’s something an insurance company is forcing you to do. But improperly configuring your security policies will provide little real defense. Insurance is nice to have, but there are some things it can’t fix. You are better off treating security as an integral part of how you do business. This will keep your data, and that of your customers, safe.
There are many cybersecurity frameworks to choose from. Such as SOC 2, ISO 27001, and CMMC. Implementing these policies is a great start to improving cybersecurity. But if their implementation is just a matter of policy, you’ll be left with little real protection. Instead, you need to understand the risk assessment that these policies are asking you to perform. Why do these policies exist? What is the purpose of checking the box? Only by understanding why the framework exists as it does can you hope to properly and thoroughly implement its protocols.
As insurance companies become more strict about requirements, you might not even get reimbursed for an attack at all if you haven’t taken the time to understand the frameworks you’re using, and the steps the insurance company is asking you to take. Insurance companies are looking for ways to save money. Don’t give them an out with poorly configured security.
With the increased demands, ransomware attackers are making, having an insurance company deny your claim because you didn’t take security seriously enough can have a double whammy effect. According to a risk report by the Hanover Insurance Group, 42% of businesses don’t have enough coverage to reimburse them for the full cost of an attack. If you find that your attack ends up costing more than you anticipated and purchased coverage for, you’ll want to be extra sure that every step necessary to get what coverage you do have is paid.
2. Pick your framework, but make sure it means something
Any of the cybersecurity frameworks will provide your business with increased protection against cybersecurity attacks and could save you from costly ransomware demands. But no framework is 100% effective. If it were, then none of the large companies who have these frameworks in place would ever fall prey to cyberattackers. If an attack occurs regardless of how effective your framework is and how carefully you’ve implemented it, you need to be able to fall back on the insurance money.
We’ve already talked about how important it is for you to understand the framework you have in place and to implement it purposefully to avoid giving the insurance company an opportunity to find a hole. But that isn’t the complete picture. Your insurance company might have requirements that aren’t a part of the framework you’re using. Many will require multi-factor authentication for all users, some have requirements regarding which frameworks you’re allowed to choose, and others have specific demands about how the framework is implemented that may go above and beyond what its own text says. It’s important to understand how your chosen framework matches up with the requirements set forth by the insurance company.
One other area to look out for is the proof of compliance requirements. Does your insurance company require you to conduct regular audits, assessments, attestations, or certifications? What rules must be followed when conducting these activities, and who is allowed to conduct them? It’s important to go over your insurance documents and ensure that you’ve dotted every I and crossed every T.
3. Now USE THE FRAMEWORK
You’ve chosen your framework, now it’s time to put that mindset discussed in the first step to work. Take a good look at each of the steps, understand why they exist, and make sure you are properly implementing them: not only in the letter of what’s written but in the spirit of what’s written. For example, if your framework requires you to have managed company devices that provide a certain level of security, but you allow your employees to access the system on their personal devices, you’ve checked a box but failed at security. Not only are you creating a security hole for cyberattackers to walk through, but you’re also creating a loophole to allow insurance companies to deny your claim.
One thing to also be aware of is the overlap in the various frameworks. For example, meeting CMMC level 3 will also meet NIST 800-171, which will, in turn, meet the NIST Cybersecurity Framework (CSF). When you document your security measures across multiple frameworks, it makes it easier to use a single source of documentation across multiple security assessments. Thankfully, tools like Microsoft Compliance Manager make documenting your efforts in this way much more streamlined.
Reiterating on the intro to this section, your company’s approach to cybersecurity needs to become an integral part of company culture. Every member of staff should understand the importance of the security efforts they are asked to undertake and should be thoroughly briefed on what those requirements are.
Cybersecurity is difficult to get right. Even the world’s largest companies sometimes fail. The high number of attacks in 2020 should give every business pause to reconsider how seriously they take this threat. In particular, the percentage of small to medium-sized businesses affected shows that everyone is a target in this modern criminal activity.
Agile IT is a four-time Microsoft partner of the year. We hold 16 gold competencies, including in security and cloud platforms. If you need to make sure you’re doing everything you can to reduce the risk of a cyberattack, doing your part to keep insurance premiums as low as possible, and taking every precaution to ensure you get paid should you need to file a claim, contact us today for a free security consultation.