How can cyber-insurance benefit organisations?

Ilia Sotnikov at Netwrix highlights what cyber-insurance entails and explains how it can benefit organisations in developing a more comprehensive cyber-security strategy

 

Business leaders could be forgiven for considering cyber-insurance to be a business overhead, something that doesn’t deliver benefit until they make a claim — which, of course, they hope they never need to do.

 

But in fact, cyber-insurance can contribute significant business benefits: The application process can be the catalyst for improving cyber-security, thereby reducing the risk of a successful cyber-attack and minimising impact should one happen.

 

Why does cyber-insurance matter?

Both the frequency and impact of cyber-attacks are continuing to rise. Ransomware is a particularly compelling example, with ransom payments of almost $450 million paid out in the first six months of 2023 alone, and of course that is just one of the many expenses associated with such attacks.

 

Companies must do everything in their power to prevent cyber-attacks, but they also need to protect themselves against the reality that they might fall victim to one. As they come to grips with the security risks they face, they are likely to consider cyber-insurance. Indeed, Netwrix’s 2023 Hybrid Security Trends report found that 44% of organisations are currently insured and 15% are planning to purchase a policy within the next year.

 

Companies take out cyber-insurance to reduce their financial losses should they suffer a cyber-incident. Insurance can provide recompense for the costs of:

• Data and system recovery 
• Downtime caused by an attack
• Forensic analysis and incident response 
• Incident handling costs, including spend on PR, client notifications and credit monitoring services for affected customers
• Legal services 
• Certain types of liability for breaches of regulated data

Some insurers also agree to reimburse the ransom payment under specific circumstances. However, this approach is still questionable as some experts argue that it can encourage further attacks and fund criminal activities.

 

How does cyber-insurance work?

As with any type of insurance, cyber-insurance is based on risk assessment — an insurance provider will assess factors such as the organisation’s data and information security posture, related processes and procedures, breach history, and legal and regulatory compliance. Companies that host large volumes of personally identifiable information (PII) or other highly sensitive content may be required to comply with stricter protocols. 

 

If an assessor finds that an organisation lacks sufficient security controls, it is unlikely to approve it for a policy at any price. 

 

If a policy is offered, companies should carefully review all limitations and stipulations. For example, the policy may cap payouts at a specified maximum amount, or it might not provide coverage for the long-term consequences of a compromise, such as customer churn and financial loss due to the damaged reputation.

 

In addition, a policy might require the insured company to take a particular approach in handling a cyber-incident, such as using professional ransom negotiation services to handle a ransomware demand. 

 

How can cyber-insurance help organisations? 

Cyber-insurance can do more for a company than simply mitigate the financial impact of incidents that might happen, however — the process of applying for cyber-insurance can be a catalyst to improve cyber-security, thereby reducing the chances of suffering a successful attack and minimising the impact if one does occur. 

 

Specifically, an insurer’s risk assessment audit can uncover security gaps in an organisation’s defences and even provide recommendations on how to address them. After all, few organisations are better informed about IT security risks than cyber-insurance providers. They deal with company claims and risk assessments all the time, so they have deep visibility into the threat landscape and knowledge of best practices for identifying and addressing security vulnerabilities. 

 

The measures most commonly required to qualify for a cyber-insurance policy are multifactor authentication, patch management and regular security training, according to a Netwrix study. In fact, half of the organisations surveyed said they made changes to their security strategy to either meet the demands of the policy they purchased or to reduce their premium. 

 

Security measures may not be imposed in the same way on all organisations. For instance, every organisation should have robust patch management processes, but insurance companies may have a more flexible standard for SMBs compared to multinationals when it comes to how quickly fixes and updates need to be rolled out.

 

That said, one underlying principle remains: insurers expect every customer to implement their duty of care, which varies according to the size of the organisation, the sector it operates in, the types of data it processes and the level of coverage it seeks. Some insurers offer services designed to mitigate risk, such as cyber-security training and threat intelligence. 

 

Companies should make the most of the guidance they gain through an insurance assessment process, but any resulting recommendations must be taken as only one element of a more comprehensive cyber-security strategy.

 

In other words, all credible analyses of risk and vulnerabilities provide a valuable opportunity to improve, but an insurer’s recommendations shouldn’t be considered an exhaustive list for boosting cyber-security. After all, an insurer’s focus may be on mitigating the latest attack techniques, or it might make general assumptions about basic security principles.  

 

Capitalising on cyber-insurance

Companies must equip themselves in the best way possible to prevent successful cyber-attacks, promptly detect threats, and respond to and recover from incidents. Cyber-insurance can help cover financial losses resulting from a security compromise — and it can also provide an excellent opportunity to gain insights into an organisation’s specific strengths and vulnerabilities.

 

Companies can capitalise on the assessment process by using it to take steps to meet high cyber-security standards and embrace optimal practices. 

 

---

 

Ilia Sotnikov is Security Strategist at Netwrix

 

Main image courtesy of iStockPhoto.com