Thinking About Cybersecurity Insurance? Don’t Sign up Without Taking These Preliminary Steps

According to the SonicWall 2022 Cyber Threat Report, in 2021 the world experienced a 1,885 percent increase in ransomware attacks on governmental entities, and a 104 percent increase in ransomware attacks on North American entities.

The increasing prevalence of these attacks certainly warrants a review of your organization’s cybersecurity program and structure. In addition to the importance of maintaining a good cybersecurity and data privacy program, it is imperative for your organization to have cybersecurity insurance. But to offset costs, you’ll need to take a few preliminary steps.

1. Communicate With All Key Stakeholders

According to Forbes, cyber insurance “protects an organization against financial losses following a cyber attack.” This differs from the purpose of cybersecurity, which is focused on “protecting data, software and hardware, keeping threat actors out and the business operational.”

The Forbes article outlines that under the original view of cyber preparation, the cyber insurance has typically been managed at the executive level by risk management teams or finance leaders as organizations typically treated this insurance as most others — as a “passive hedge.” In other words, the underwriting of this type of insurance has focused on “tallying up potential losses . . .  and determining which broad industry and revenue segment of the organization fit into.”

This is at odds with how organizational cybersecurity is actually managed, which is usually by a chief information security officer (CISO), Chief Technology Officer (CTO), lower-level IT managers, or employees whose role is to “focus on emerging threats, evolving solutions and technology trends.”

This divided approach has converged following what Forbes describes as a “surge in ransomware attacks.” CPO Magazine confirms that this reliance has developed alongside CISOs reporting that the rise in cyber attacks in Q4 of 2021 led to a 33 percent increase in cybersecurity premiums, and that CISOS are “increasingly leaning” on cybersecurity insurance to “offset their cyber risk,” To lower these premiums, organizations have implemented a review and amendment of their cybersecurity programs to minimize their risk exposure and insurance reliance.

2. Deploy a Tool to Self-Calculate Your Risk

Because there is no industry standard for calculating an organization’s risk—which forms the basis of the organization’s insurance premiums—CPO Magazine notes that many organizations have adopted External Attack Surface Management (EASM) platforms. EASM platforms can be used to “immediately identify and validate the geography, industry and size of a company in relation to their digital footprint—cloud, hosting providers, subsidiaries, supply chain and third party vendors included.” Thus, EASMs can assist organizations in automatically calculating their own risk factors, as opposed to deploying teams of employees to perform risk assessments by manually tracking and cataloging each organizational asset.

These EASMs increase the speed and efficiency of an organization’s risk-minimizing efforts, and also provide a reliable set of variables that can later be used to negotiate—or at least anticipate—cybersecurity insurance premiums.

3. Engage in Real-Time Monitoring

Another solution posed by CPO Magazine is for your organization to engage in real-time exposure monitoring “across the entire attack surface of an enterprise organization — including their subsidiaries, supply chain and third party vendors across all environments — on premise, off premise and on the cloud.” Although this approach may be more cumbersome for an organization than the use of EASM, it permits the risk-assessment operation to remain in-house and human-led, which some organizations may prefer.

This real-time approach permits organizations to appropriately respond to any risks that arise in a timely fashion so that the organization will not face increased premiums, reinsurance costs, or other surcharges that can be assessed to an organization’s insurance bill when a risk remains in the organization without detection or response.

4. Budget Accordingly

Although these tactics can minimize premiums, this Cybersecurity Dive article notes that the number of cybersecurity insurance claims in Q1 of 2022 “remains high” in alignment with claims that were filed in 2021. Contributing to these increased premiums is the increase in the number of organizations that are retaining cybersecurity insurance. In fact, according to Cypto-Reporter,  the cybersecurity insurance market “scenario is projected to grow from USD 11.9 billion in 2022 to USD 29.2 billion by 2027, at a CAGR of 19.6 percent during the forecast period.”

Despite this, sources provided by Cybersecurity Dive have stated that this increased interest will lead to increased competition amongst insurance companies and, in turn, an increased likelihood of rate moderation. But conversely, the U.S. Government Accountability Office (GAO) has “questioned whether insurance can cover cyberattack losses,” calling the validity of the market demand into question.

* * * * * * *

For ADCG’s Breach Report and more news updates discussing: which government agencies are at odds over location data privacy; data privacy best practices for enterprise leaders; amazon ring turns over data to police without permission; Network and Information Security directive shortens breach notification timeline; and how semiconductors create data privacy concerns,  click here.

To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.

Last week, Keith Cheresko, Principal of Privacy Associates International LLC and former general counsel of the Ponemon Institute, a privacy research organization, joined Jody Westby on our Privacy and Cybersecurity podcast to discuss to discuss to discuss the increasing tangle of contractual compliance obligations in privacy laws. Our Podcasts are generally released every Thursday, here. They can also be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!