Chief strategy officer with Sevco Security, security industry entrepreneur, board advisor, investor and author.
Amid the steady onslaught of costly ransomware and other attacks, cyber insurance is more important than ever for businesses. A company can implement proper security controls and meet regulatory mandates, but breaches still happen—and when they do, cyber insurance can be a vital tool to help a business recover quickly. However, it’s also becoming more expensive, complicated and challenging to get.
According to Fitch Ratings, cyber insurance is the fastest-growing segment of the U.S. property/casualty insurance market. However, claims and payouts have jumped along with that growth, giving insurers a reason to be more exacting in what they expect from policyholders.
Between 2018 and 2021, Fitch found a 100% increase in the number of cyber insurance claims that policyholders made and a 200% increase in the number of claims that insurers paid out. Although the costs of cyber insurance premiums have leveled off somewhat, they’re still on the rise. According to insurance broker Marsh, there was an 11% rise in average cyber insurance prices in the first quarter of 2023 after a 28% jump in the last quarter of 2022.
Obtaining cyber insurance may have once been a straightforward process. Still, the growth and sophistication of the cyber landscape have changed the process, and companies looking to qualify for cyber insurance at reasonable rates have a substantial burden of proof. They must demonstrate to insurers that they have robust security controls and are complying with cybersecurity mandates.
While there are multiple methods for demonstrating robust security controls, three areas stand out. Those areas include security assessments, breach and attack simulation and asset intelligence.
Security Assessments
Security assessments are a fantastic mechanism to leverage experts to penetrate, evaluate and measure the effectiveness of your security controls. They can also effectively measure how well-practiced your incident response team is and how well their processes work in the face of an incident. Deliverables from these assessments can help highlight and prioritize potential issues across your talent, techniques and technology that can hinder the effectiveness of an organization’s security controls.
Breach And Attack Simulation
Third-party penetration testers as well as in-house red, blue and purple teams can use breach and attack simulation solutions that are engineered to validate the effectiveness of security controls, from endpoint protection and network firewalls to email protection and SIEMs. They execute actual attacks like data exfiltration and malware execution to determine if security controls prevent the attacks from being successful.
They can also ascertain if the attacks are detected, and they generate alerts across hundreds or thousands of attack types. The resulting output precisely maps the successful attacks to failed security controls while prescriptively offering adjustments that can be made—thus ensuring that optimized and validated controls are in place.
Asset Intelligence
Asset intelligence can provide abundant evidence-based, enforceable data where regulatory compliance and cyber insurance meet. It’s an area where auditors spend a substantial amount of time because when assessing a system, it’s of the utmost importance to understand the whole spectrum of an organization from a risk perspective. You gain that understanding right at the juncture because auditors often deal with regulators and insurance companies simultaneously.
From a security perspective, asset intelligence built on evidence-based security data—instead of merely taking inventory of devices and software—can help organizations comply with regulatory standards. Those standards, after all, are designed to ensure that specific security controls are in place. That data is also what insurers are looking for when drawing up a cyber insurance policy.
For organizations, the benefits of asset intelligence include:
• Risk reduction, which is an important discipline in compliance and some of the best data you can have when applying for cyber insurance.
• Quicker identification of security gaps, which is an essential step in the risk reduction chain of vulnerability identification and mitigation as well as another critical factor for regulatory requirements and insurance confluence.
Incontrovertible evidence-based data that shows that an organization is taking a proactive approach to risk management can translate to more favorable terms for cyber insurance, including lower premiums and other elements such as the length of a policy. With car insurance, if you can show an insurer that you live in the middle of nowhere and your nearest neighbor is 50 miles away, you’ll pay less for insurance. With cyber insurance, the data you derive is worth dollars and cents.
It can also benefit insurers by making them more competitive. Having a better understanding of a company’s security posture not only allows insurers to offer a lower rate but also gives them the flexibility to customize policies—tailoring them to the unique needs and risks of the business.
Conclusion
Cyber insurance is critical for businesses operating in the face of mounting threats and the possibility of expensive, reputation-damaging breaches. A company that can assess its security, conduct breach and attack simulations and offer a clear view of its enterprise should get more favorable terms on insurance.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?