Cyber insurance provides companies with some financial peace of mind as an essential component of their cybersecurity risk mitigation strategy. It can help to recover from a data breach or cyber incident – or at least that used to be the case. Cyber insurance was a tool leveraged to mitigate cyber risk at the expense of implementing appropriate cybersecurity controls. That has changed, as the impact, manner and severity of cyber threats are continually changing.
Cyber-related incidents are being recognized more and more as one of the top risks facing organizations of all sizes and industries. Organizations should no longer be surprised when they find that cyber insurance premiums have gone up and they have less coverage. Some may not be able to renew their insurance, pending proof they have the controls needed to protect and defend themselves against cyber-attacks.
With organizations continuing to pursue a digital agenda and adopting more internet-facing systems, it only increases their attack surface, making them more susceptible to a cyber-attack. The adage “it’s not a matter of if, but when” a cyber-attack occurs is true. Cybersecurity is not about checking the box to be compliant, but about managing your cyber risk. Insurers want to make sure you understand your risks and that your controls are aligned accordingly. As such, cyber is a risk that companies cannot ignore, and insurers will not budge unless organizations can address their risk with appropriate security controls.
Effectively Mitigate Risk with a Program Assessment or Penetration Test
Don’t leave it up to chance that your business’ critical applications, IT infrastructure and devices are resistant to compromise. This month receive 10% off our program assessment or pentest services.
Premiums for cyber insurance rose between June 2020 and June 2021, spiking by 32%[1] which aligns with the increase in cyber activity since the pandemic. Cybercrime has increased by 600% percent since the COVID-19 pandemic. [2] In 2021, the publicly reported data breaches soared past the previous year’s total. [3] Phishing was the biggest culprit, with 36% of data breaches due, at least in part, to employee credentials stolen through a phishing attack, [4] 96% of which occur through email. [5] Ransomware is also running rampant with ransomware attacks increasing by 80% year over year, and double extortion (where you do not get your data back) increased by 117%. [6]
Common Controls Requested by Insurance Companies
Below are common controls requested by insurance companies (not exhaustive):
- Cyber Risk Assessment
- Multi-Factor Authentication
- Anti-Virus, Anti-Malware, and/or End Point Protection Software
- Critical Data Back-Ups
- Stored Critical Data separate from network data and tested regularly for restoration
- Patching of systems completed within 2 months
- Email scanning for malicious attachments and/or links
- Incident Response Plan
- Encryption of servers and workstations (encryption of data at rest)
- Encryption of data in transit
Do not wait until your insurance renewal to find out from your carrier what their requirements will be this year. Withum’s Cybersecurity Team can walk you through what is required and assist with the implementation of the controls.
Author:Jason Spezzano, Executive Cybersecurity Advisor | [email protected]
[3] Q3 First-Half Data Breach Analysis,” Identity Theft Resource Center: Notified – ITRC
[5] Ibid
Contact Us
For more information on this topic, please reach out to Withum’s Cyber and Information Security Services Team.