Cyber insurance, also known as cyber liability insurance, covers your business's liability in the event of a data breach or cyber event that can involve sensitive data such as customer information. This can cover Personally Identifiable Information (PII) such as Social Security numbers, credit card and account information, drivers' licenses, and health records.
Cyber insurance typically helps to cover the costs associated with notifying customers of a data breach, restoring personal identities of impacted customers, and then recovering and repairing compromised data, computer systems, and networks. Cyber insurance is often excluded from general liability insurance and crime insurance.
Typically, cyber insurance coverage goes either through a broker or directly through a carrier. When you inquire, you will be asked to complete an application which will have a number of different questions about your risk profile and requirements for coverage. If approved, the carrier or broker will offer you a policy, give you the terms, coverage limits, coinsurance, etc.
Do you actually need cyber insurance?
To answer this, you should ask yourself a few questions:
- What can a cyber event like a data breach do to your assets and your ability to operate?
- If there was a threat against your organization, could you lose money or be extorted, or have customers impacted by an event that originated with you?
- Would losing intellectual property or customer data cause you to lose customers or have other financial ramifications?
The reality is that all types of organizations, from global companies to small and midsize businesses, use technology to do business and therefore face some level of cyber risk.
As technology becomes more complex and sophisticated, so do the threats. This is why organizations are increasingly preparing themselves with cyber insurance to supplement their cybersecurity strategy to manage and mitigate their risk.
Cyber insurance security requirements are getting tighter
In their 2021 report, the U.S. Government Accountability Office found that more insurance clients are electing cyber coverage, up from 26 percent in 2016 to 47 percent in 2020. During the same period, U.S. insurance entities saw the costs of cyberattacks nearly double between 2016 and 2019. As a result, insurance premiums also saw major increases due to the carriers' financial losses from paying out the increased number of claims.
What we've seen first-hand from carriers in recent years is that, in an effort to curb their losses, they are taking a deeper look at their clients' security preparedness and tagging experts to provide perspective and expertise.
In their 2022 Property/Casualty Annual Statement Cybersecurity and Identity Theft Supplement report, the National Association of Insurance Commissioners (NAIC) wrote:
Because of the increasing cybersecurity risks, businesses are facing a more demanding underwriting process. Insurers are more thoroughly examining a company's security controls, internal processes, and procedures concerning cyber risk. Additionally, underwriters are more cautious in examining an insured's risk presented by the third parties working or contracting with the insured.
Carriers are tired of paying out for breaches that could have been prevented and incidents that could have been contained. They recognize there are a lot of vulnerabilities for businesses, but in collaboration with vendors and service providers, they are mandating best-of-breed security tools that can offer meaningful risk mitigation.
Multi-factor authentication (MFA) was a nice-to-have years ago, but now it's absolutely required and you likely won't be eligible for any cyber insurance quotes without it. Then we started to see carriers mandate detection and response tools such as EDR and MDR.
Now, with the understanding that breaches are inevitable, they're starting to mandate Zero Trust Segmentation (ZTS), which unlike prevention and detection technologies, stops the spread of breaches by shutting down pathways for lateral movement and only allowing wanted and necessary communication.
Learn more about Zero Trust Segmentation here.
Zero Trust Segmentation is increasingly required for cyber insurance policies
When you look at the total cost of most breaches ‚Äî outside of DFIR (Digital Forensics and Incident Response) and paying the ransom itself ‚Äî the most expensive part is recovery.
The reason we're seeing insurance carriers and regulators push for segmentation, even downmarket into small and midsize business, is because preventing an attack from spreading to just a few devices instead of all of them decreases the cost of recovery dramatically. That's why you see updated underwriting packages from carriers where segmentation is now required for critical assets or endpoints (which are typically the starting point of many breaches).
Fortunately, recovery costs can be controlled in a major way if you are doing ZTS and preventing breach spread. A recent attack emulation performed by Bishop Fox found that ZTS stops ransomware attacks four times faster than detection and response alone, and ZTS significantly reduces the amount of time it takes to recover following an incident.
Imagine the costs for an insurance carrier having to recover 1,000 workstations after a ransomware attack on a midsize manufacturing firm. If the company had implemented ZTS, stopped the attack from spreading, and only had to recover 3 workstations instead, the cost structure for recovery is very different.
ZTS doesn't rely on detection like other tools, and if traffic can't reach your critical assets, it can't infect them, no matter what attack technique is used.
The future of insurance includes security tools and service providers
We have spoken with several partners and carriers, and they agree that the future of cyber insurance is a tight-knit collaboration that combines security vendors, service providers, and insurance companies together.
In this evolving threat landscape, agile businesses need comprehensive continuity planning, that starts with having the right tools in place and in some cases having a roadmap for security strategy, like adopting one of the best-of-breed frameworks like NIST CSF, CIS, or CMMC. Trusted service providers can help alert IT leaders develop good security hygiene proactively and equip organizations with a security stack that makes a meaningful impact.
Cyber insurance should be a key piece of your risk strategy, but it can't be the only piece. If you own property, would you only buy fire insurance and not smoke alarms and fire mitigation controls? Hopefully not, but even if you did, you would expect to pay a higher premium given you haven't deployed controls that actually reduce your fire risk.
The fact is that companies who are better prepared will pay a better rate than those who aren't. Being able to demonstrate that will go a long way in not only protecting yourself from a cyber event in the first place but also saving you money and recovery time working with your carrier when something does happen.
Illumio ZTS is proactive security that reduces cyber insurance costs
When should ZTS become a part of your organization's security strategy? If you already have MFA and EDR/MDR products, then ZTS should be your next priority, if it hasn't been mandated already.
Not only will you be ahead of the curve before your next cyber insurance policy renewal, but you will be able to strengthen your existing detection tools' effectiveness by lessening their dwell time weakness while also significantly increasing your response capabilities.
If you are facing segmentation mandates from your cyber insurance carrier, contact us today for a consultation and demo.