Organizations that would like to buy or renew a cyber insurance policy in 2023 should prepare for an uphill battle. Cyber insurance companies are trying to cover their escalating costs by declining or offering limited coverage to those who are not sufficiently prepared to operate in today’s threat landscape.
Cyber Insurance Has Become Hard to Get
Since the outbreak of the COVID-19 pandemic, the demand for cyber insurance has been increasing, fueled by an endless stream of cyber attacks. According to an October 2022 memorandum from the US-based National Association of Insurance Commissioners, around $6.5 billion in direct written premiums were recorded in 2021, an increase of 61 percent over the prior year.
During the first quarter of 2022 alone, cyber insurance costs increased by a whopping 102 percent in response to the growing number of claims and costs associated with them. In addition to the steep rise in cyber insurance premiums, cyber insurance companies are now requiring insurers to demonstrate a strong cybersecurity posture before agreeing to provide coverage.
Organizations that fail to meet their terms are not seen as cyber-insurable. That can be a costly problem because the percentage of organizations reporting a cyber attack jumped from 43 percent in 2021 to 48 percent in 2022, according to a report by insurance provider Hiscox. The same report revealed that 20 percent of organizations that suffered an attack said their solvency was threatened, which is hardly a surprise considering that the median cost of an attack is now just under $17,000.
6 Critical Cybersecurity Policies Every Organization Must Have
Best Practices for Becoming Cyber-Insurable
Since it’s now more difficult than ever before to score a cyber insurance policy with favorable terms and acceptable premiums, organizations need to proactively implement the cybersecurity best practices insurers always look for when evaluating an organization’s risk profile.
1. Multi-Factor Authentication (MFA)
Organizations that don’t implement MFA can forget about becoming cyber-insured in 2023—that’s how important this best practice is for most insurers, and for a good reason. According to Microsoft, MFA stops 99 percent of authentication or account takeover attacks, one of the most common types of cyber attacks used by modern cybercriminals.
2. Third-Party Risk Management
In September 2022, Ponemon Institute and Mastercard’s RiskRecon released a report that revealed something alarming: 54 percent of organizations had been breached through third parties in the previous 12 months. Obviously, cyber insurance companies don’t want to take on clients that share privileged access with third parties whose cybersecurity is even less leak-proof than a screen door on a submarine. Instead, they want to see their clients implement robust third-party risk management processes to identify and eliminate risks related to third parties.
3. Endpoint Security
Insurers view endpoint security as a critical component of an organization’s cyber defense strategy, and organizations that have robust endpoint security in place are more likely to be considered for cyber insurance coverage. This holds even more weight for organizations whose employees are allowed to work remotely because the absence of a clearly defined network perimeter increases the likelihood of cybersecurity incidents.
4. Patch Management
Approximately 60 percent of breached organizations cite as the culprit an unpatched vulnerability, and the problem is expected to only become worse due to the constantly growing complexity of information technology systems. As far as cyber insurance companies are concerned, the ideal insurer is someone who has implemented automated patch management to ensure that all operating systems and applications are always up to date.
5. Employee Education and Training
People will always be the weakest link in cybersecurity, but that doesn’t mean this link can’t be strengthened. Regular cybersecurity awareness training sessions can make employees aware of the threats they face and equip them with the skill necessary to avoid them. Employee education and training is especially effective against social engineering attacks like phishing, vishing, and smishing.
6. Incident Response Planning
By having a well-defined incident response plan in place, an organization demonstrates to potential insurers that it is proactive in addressing cybersecurity threats and has a clear understanding of the risks it faces. An especially critical component of incident response planning is backup and disaster recovery because it provides the means to restore normal operations after an incident has occurred.
7. Vulnerability Assessments
Cybersecurity attacks are constantly evolving, and so are the information technology systems they aim to exploit. Cybersecurity insurance companies prefer organizations that are continuously assessing their overall risk profile by identifying and prioritizing potential vulnerabilities in their systems as part of regular vulnerability assessments.
Become Cyber-Insurable With OSIbeyond
As a provider of managed IT & cybersecurity services, we at OSIbeyond understand the importance of a strong security posture in today’s threat landscape. We help small and medium-sized organizations across all industries implement the best practices that cyber insurance companies want to see when evaluating a client’s risk profile.
Don’t let the rising cost of cyber insurance and the increasing difficulty of obtaining coverage hold your organization back.