Believe it or not, having weak cybersecurity won’t just affect your reputation with clients and partners; it’ll affect your reputation with insurance companies and whether or not they’ll take you on as a risk. Why? In response to growing cybercrime and high claims payouts, insurers have become a lot more selective about their clients in recent years. And if you fall short of their security requirements, you won’t qualify for Cyber Insurance at all, or you’ll have to settle for less coverage, but at a much higher cost.

What are the requirements? How can you keep your business safe and stay insurable? Keep reading to learn more.

Why are insurance companies so selective?

Although cybercrime had been on the rise for years, the frequency and severity of breaches—and remediation costs—reached record levels by 2019; the pandemic, subsequent workplace disruptions, and transition to remote work only made matters worse. But despite the increasing sophistication of breaches, most incidents were still caused by well-known and often preventable security flaws, like poor password hygiene or email compromise. And when faced with a ransomware attack, many businesses would pay hackers’ demands to swiftly regain their data, counting on insurers to foot the bill and make them whole again, rather than improving their own cybersecurity defences.

As a result, insurance companies have had to shift their application requirements to align with threat levels, protect their existing clients, and ensure they’re financially secure enough to pay for other cyber claims. According to the 2021 CIRA Cybersecurity Survey, 35% of organizations applying for Cyber Insurance reported increased premiums. 34% were asked to verify cybersecurity measures, 29% had changes in eligibility criteria for obtaining and renewing coverage, and 23% saw reduced reimbursement amounts for ransomware attacks.

Now, most insurers are now imposing baseline controls for organizations to even qualify for coverage, including security measures, risk assessments, and incident response plans. Whether you’re applying for a new policy or renewing an existing one, failure to meet these requirements could put you in a high-risk category, leading to higher premiums, restricted coverage, or denial of coverage altogether.

RELATED: Sink or Swim: How Can Businesses Survive the Cybercrime Tsunami

No Cybersecurity, No Cyber Insurance: What are the requirements?

Unfortunately, security is still on the back burner for most businesses. Many perceive the risk of data compromise to be low and see insurance as a way around investing in IT security, while others simply don’t have the time or resources to do more than the bare minimum. Or they just might not know where to start. In an increasingly digital world, how do you decide which cyber controls to deploy first, especially when you have a limited budget to work with?

To help you out, here are five security safeguards all organizations should focus on, regardless of size, workforce, or industry. While every company will have different criteria, the controls below are required by most cyber insurers and will help you either reduce the likelihood of a breach or mitigate its impact.

1. Multi-Factor Authentication

Multi-factor authentication (MFA) requires users to provide two or more pieces of evidence, like a mobile app, access card, or even voice recognition, to verify their identity before granting login access. MFA makes it harder for cybercriminals to reach your information by adding an extra layer of security to protect your devices, networks, and accounts. Even if your login credentials are weak, stolen, leaked, or otherwise exposed, threat actors still won’t be able to gain entry unless they have your other information, effectively rendering most phishing and other hacking efforts useless. In fact, according to Microsoft, 99.9% of account compromise attacks can be blocked by multi-factor authentication.

To block attacks at multiple access points, you should deploy MFA across your enterprise wherever critical or sensitive data is stored or transmitted, including corporate email accounts, VPNs, and financial accounts.

RELATED: Multi-Factor Authentication: Why Passwords Aren’t Enough Anymore

Is it worth it?

Most businesses see security updates as little more than a costly addition to the balance sheet. But if your organization suffers a breach, the cost of recovering from an attack will be significantly higher. And remember: it only takes one misconfiguration or missed patch to compromise your entire network.

Plus, in this day and age, cybersecurity is a required cost of doing business—and not just for your insurance. As the digital world grows, more and more clients, investors, and key partners want guarantees that their data will be protected if there’s a breach. And now, many are increasing their contractual requirements for data protection, ranging anywhere from having basic safeguards, to carrying certain levels of coverage, to a combination of both. Some organizations might even ask for a certificate of insurance as proof before proceeding with the contract.

If your cybersecurity isn’t up to par, you won’t just lose out on insurance—you’ll lose out on key clients and partners. And without insurance, you’ll have to shoulder the breach costs out-of-pocket, leaving yourself exposed to hundreds of thousands in regulatory fines, legal fees, restoration, and other remediation expenses.

RELATED: The Consequences of a Breach: Can your business survive a cyberattack?

What else can you do?

The controls above are just the tip of the iceberg. The truth is: cyber risk—and cybersecurity—are constantly evolving. As we implement fixes, hackers will adapt their techniques and find new ways of compromising data. Soon, these minimum requirements will become table stakes and insurers could mandate other security controls, like regular patching or limiting end-user access.

To keep up with the shifting nature of cybercrime and stay in insurers’ good graces, all businesses must be proactive, vigilant, and agile. In addition to your existing controls, prioritize ongoing cybersecurity and conduct routine scans of your networks, systems, and servers. Check in with your vendors and key partners; make sure their security is at least as good as your own. Develop incident response and business continuity plans to help you manage fallout. Seek out cyber and insurance experts that will help you navigate trends and reassess your strategy.

Even if you only start with the basics, you can still harden your defences enough to deter the average criminal and force them to move onto the next target. In doing so, you can remain insurable, keep your premiums manageable, and smooth out any delays in the application or renewal process. Above all, you can lower the chances of a breach, respond quickly and effectively, and recover your business that much sooner.

How can we help you?

For more guidance, connect with PROLINK. With over 40 years of experience and a specialized knowledge of cyber markets, PROLINK is ahead of industry trends. We can share what steps others in your industry are taking and help you become resilient in the face of attack.

Our dedicated team of risk advisors will help you:

• Identify cyber perils, attack scenarios, and any potential losses based on your business operations and unique needs;
• Conduct a robust assessment of your existing insurance policies to detect any coverage gaps;
• Stay on top of emerging threats, legislations, and insurance requirements that could affect you;
• Adopt a proactive approach to risk management to control your costs long-term;
• Secure a specialized solution that aligns with your strategic objectives.

To learn more about your exposures—and how you can protect yourself—visit our Cyber Security & Privacy Breach Toolkit and connect with PROLINK today!