5 Essential Cybersecurity Measures For Insurance Approval
May 9, 2023
When it comes to a breach, most people think of the immediate consequences, like data loss, client notification, or legal action. But what about the long-term effects? Like business downtime? Or the impact on employee morale? Or your insurance costs?
Believe it or not, having weak cybersecurity won’t just affect your reputation with clients and partners; it’ll affect your reputation with insurance companies and whether or not they’ll take you on as a risk. Why? In response to growing cybercrime and high claims payouts, insurers have become a lot more selective about their clients in recent years. And if you fall short of their security requirements, you won’t qualify for Cyber Insurance at all, or you’ll have to settle for less coverage, but at a much higher cost.
What are the requirements? How can you keep your business safe and stay insurable? Keep reading to learn more.
Why are insurance companies so selective?
Although cybercrime had been on the rise for years, the frequency and severity of breaches—and remediation costs—reached record levels by 2019; the pandemic, subsequent workplace disruptions, and transition to remote work only made matters worse. But despite the increasing sophistication of breaches, most incidents were still caused by well-known and often preventable security flaws, like poor password hygiene or email compromise. And when faced with a ransomware attack, many businesses would pay hackers’ demands to swiftly regain their data, counting on insurers to foot the bill and make them whole again, rather than improving their own cybersecurity defences.
As a result, insurance companies have had to shift their application requirements to align with threat levels, protect their existing clients, and ensure they’re financially secure enough to pay for other cyber claims. According to the 2021 CIRA Cybersecurity Survey, 35% of organizations applying for Cyber Insurance reported increased premiums. 34% were asked to verify cybersecurity measures, 29% had changes in eligibility criteria for obtaining and renewing coverage, and 23% saw reduced reimbursement amounts for ransomware attacks.
Now, most insurers are now imposing baseline controls for organizations to even qualify for coverage, including security measures, risk assessments, and incident response plans. Whether you’re applying for a new policy or renewing an existing one, failure to meet these requirements could put you in a high-risk category, leading to higher premiums, restricted coverage, or denial of coverage altogether.
No Cybersecurity, No Cyber Insurance: What are the requirements?
Unfortunately, security is still on the back burner for most businesses. Many perceive the risk of data compromise to be low and see insurance as a way around investing in IT security, while others simply don’t have the time or resources to do more than the bare minimum. Or they just might not know where to start. In an increasingly digital world, how do you decide which cyber controls to deploy first, especially when you have a limited budget to work with?
To help you out, here are five security safeguards all organizations should focus on, regardless of size, workforce, or industry. While every company will have different criteria, the controls below are required by most cyber insurers and will help you either reduce the likelihood of a breach or mitigate its impact.
1. Multi-Factor Authentication
Multi-factor authentication (MFA) requires users to provide two or more pieces of evidence, like a mobile app, access card, or even voice recognition, to verify their identity before granting login access. MFA makes it harder for cybercriminals to reach your information by adding an extra layer of security to protect your devices, networks, and accounts. Even if your login credentials are weak, stolen, leaked, or otherwise exposed, threat actors still won’t be able to gain entry unless they have your other information, effectively rendering most phishing and other hacking efforts useless. In fact, according to Microsoft, 99.9% of account compromise attacks can be blocked by multi-factor authentication.
To block attacks at multiple access points, you should deploy MFA across your enterprise wherever critical or sensitive data is stored or transmitted, including corporate email accounts, VPNs, and financial accounts.
Encryption is a way of encoding or scrambling data so that only authorized parties can read the information. To do so, it changes the original content, known as plaintext, to an alternative form, or ciphertext, so that it appears random and incomprehensible to unauthorized individuals. In order to decipher the data, the viewer must have a cryptographic key to convert it back to plaintext; this reversal process is known as decryption.
When applied correctly, encryption is one of the most powerful tools in your arsenal to protect data at-rest and in-transit. Although it won’t stop a breach from happening, encryption can prevent cybercriminals from holding data hostage or repurposing it in future attacks. Even if data is intercepted, only users who have the right key will be able to translate it.
3. Endpoint Detection & Response
Endpoint detection and response (EDR) solutions identify and respond to threats that target endpoints within a network, like desktops, laptops, servers, and mobile devices. EDR continuously monitors network traffic, file events, system processes, and user behaviour for signs of malicious activity. This data is then analyzed to provide insights for threat remediation and strengthen your security perimeter.
Early detection is crucial to minimize the damage caused by a breach. That way, you’ll have a window of opportunity to uncover sophisticated threats that might otherwise go unnoticed and neutralize them right from the get-go. In addition to incident response, EDR can also help you proactively spot vulnerabilities, take steps to improve your overall security posture, and stay ahead of hackers.
4. Security Awareness Training
Security awareness training is a formal program designed to help employees understand the role they play in preventing privacy breaches and protecting corporate assets. Effective training teaches people how to safely use data, identify and avoid potentially harmful situations, and respond to cyber threats.
Education matters; users are on the front lines and even the most advanced cybersecurity tools in the world won’t make up for poorly trained staff. Everyone who is part of a network—anyone who shares, stores, edits, or can otherwise access your corporate data—should know how to protect it. In addition to regular training for existing employees, all new hires, including independent contractors, students, and interns, should be required to undergo training as part of their orientation.
5. Offline Backups
An offline backup is a secondary storage system in a secure external location; it’s not connected to any other computers, networks, or internet-enabled devices. The only way to transfer data to an offline system is by physically inserting some kind of removable media, like a USB key, disc, or external hard drive. Without a network connection or in-person access, it’s more or less impossible for someone to reach your information.
An offline backup can supplement your existing storage systems and assist with data recovery if your onsite or network backups are compromised. With a clean copy of your data, you’ll be able to restore your systems without succumbing to ransom demands. For good measure, your offline backup should include all forms of data stored within your company network, like databases, operating systems, applications, and configurations.
Is it worth it?
Most businesses see security updates as little more than a costly addition to the balance sheet. But if your organization suffers a breach, the cost of recovering from an attack will be significantly higher. And remember: it only takes one misconfiguration or missed patch to compromise your entire network.
Plus, in this day and age, cybersecurity is a required cost of doing business—and not just for your insurance. As the digital world grows, more and more clients, investors, and key partners want guarantees that their data will be protected if there’s a breach. And now, many are increasing their contractual requirements for data protection, ranging anywhere from having basic safeguards, to carrying certain levels of coverage, to a combination of both. Some organizations might even ask for a certificate of insurance as proof before proceeding with the contract.
If your cybersecurity isn’t up to par, you won’t just lose out on insurance—you’ll lose out on key clients and partners. And without insurance, you’ll have to shoulder the breach costs out-of-pocket, leaving yourself exposed to hundreds of thousands in regulatory fines, legal fees, restoration, and other remediation expenses.
What else can you do?
The controls above are just the tip of the iceberg. The truth is: cyber risk—and cybersecurity—are constantly evolving. As we implement fixes, hackers will adapt their techniques and find new ways of compromising data. Soon, these minimum requirements will become table stakes and insurers could mandate other security controls, like regular patching or limiting end-user access.
To keep up with the shifting nature of cybercrime and stay in insurers’ good graces, all businesses must be proactive, vigilant, and agile. In addition to your existing controls, prioritize ongoing cybersecurity and conduct routine scans of your networks, systems, and servers. Check in with your vendors and key partners; make sure their security is at least as good as your own. Develop incident response and business continuity plans to help you manage fallout. Seek out cyber and insurance experts that will help you navigate trends and reassess your strategy.
Even if you only start with the basics, you can still harden your defences enough to deter the average criminal and force them to move onto the next target. In doing so, you can remain insurable, keep your premiums manageable, and smooth out any delays in the application or renewal process. Above all, you can lower the chances of a breach, respond quickly and effectively, and recover your business that much sooner.
How can we help you?
For more guidance, connect with PROLINK. With over 40 years of experience and a specialized knowledge of cyber markets, PROLINK is ahead of industry trends. We can share what steps others in your industry are taking and help you become resilient in the face of attack.
Our dedicated team of risk advisors will help you:
- Identify cyber perils, attack scenarios, and any potential losses based on your business operations and unique needs;
- Conduct a robust assessment of your existing insurance policies to detect any coverage gaps;
- Stay on top of emerging threats, legislations, and insurance requirements that could affect you;
- Adopt a proactive approach to risk management to control your costs long-term;
- Secure a specialized solution that aligns with your strategic objectives.
To learn more about your exposures—and how you can protect yourself—visit our Cyber Security & Privacy Breach Toolkit and connect with PROLINK today!
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.