In its second pulse survey of 2022, international professional services firm PwC cites cyber as the top business risk. But getting a cyber insurance policy can be tricky and costly. As cyber attacks have escalated across every business small and large, cyber policies have followed suit, if you can even find a carrier willing to underwrite one. Thankfully, organizations can follow cyber strategies to arrive at more favorable policy terms and lower premiums.
Michelle Drolet is CEO of Framingham IT services firm Towerwall. Reach her at firstname.lastname@example.org or (774) 204-0700.
The rule is simple: The greater the cyber risk, the greater the insurance cost. Conversely, the better your security program, the cheaper your premium and the better your coverage terms. Insurers are risk-averse by nature; the coverage they offer must be directly proportional to the assumed risk.
When it comes to cyber, there’s no shortage of risk factors. These include the size and nature of the business; flaws in systems or processes; unpatched vulnerabilities attackers can exploit; third-party and supply-chain partners not abiding by standard security practices; compliance mandates overlooked or ignored, which can lead to data breaches and class-action lawsuits; social engineering attacks causing users to click on bogus links allowing attackers to bypass even the best security technology. The absence of policies, procedures, planning, tools, and security awareness training can have negative fallout and contribute to cyber risk.
To obtain value from a cyber insurance policy at lower monthly premiums, businesses should undergo a thorough cyber risk assessment to identify weak spots and implement safeguards to reduce risk factors. Insurers come to the table primed with these basic expectations. To make sure the meeting is productive for both parties, a range of security audits need to be tackled upfront for data, vulnerabilities, compliance, third-parties, network, cloud, and application assessments.
Specifically, the discovery and classification of data, its sensitivity, location and security controls; identification and prioritization of security vulnerabilities across the organization; gap analysis against industry-accepted standards or frameworks; identification and prioritization of third-parties based on risk factors; a security posture review of on-premise IT infrastructure, cloud environments and software as a service or third-party applications. Review the level of cyber hygiene and awareness of common social engineering scams among employees. Get buy-in from the top on the direct ties cyber has on business continuity. Preventive measures can be taken by running biannual penetration testing to harden defenses against known attack vectors.
The path is long and not easy but help is available. The consequences of not obtaining a settlement after incurring damages can obviously be devastating. In brief, negotiating a cyber policy for risk coverage requires organizations to present tangible evidence that the business remains resilient and compliant with digital and even physical security best practices.