Understand Cyber Insurance: Rising Risks and How to Right-Size Policies

Cyber insurance can be a tricky part of cybersecurity strategy — here’s what to know in today’s security climate

By John Reith, Partner Success Manager at DataStream Cyber Insurance

Cyber insurance is an increasingly crucial backstop to cybersecurity practices. While enlisting comprehensive protections and preventing data breaches is always the best-case scenario, a sufficient cyber insurance policy can mitigate the sizable expenses that arrive in a breach’s aftermath—from the investigation, to public relations and legal costs, to regulatory fines. Because cyber insurance often requires policyholders to adhere to prescribed cybersecurity practices based on established compliance mandates, cyber insurance can also help businesses adopt safeguards to get their houses in order and stay on regulators’ good sides.

As I see it, the day is fast arriving when most businesses will be required to hold cyber insurance—maybe even every business. Mortgage lenders require borrowers to carry homeowners insurance, and the law requires every car owner to carry auto insurance. This forces owners to take responsibility and mitigate the costs of a disaster themselves. Cyber insurance fills a similar role, enabling organizations to both take financial responsibility and protect themselves from data breach costs that could otherwise put them out of business.

In the same way, some lenders now require organizations to carry cyber insurance to make sure they can repay their business loans. Some businesses now require cyber insurance in contracts with supply chain partners to ensure their security and stability. The government has a similar interest in making sure organizations representing key infrastructure can survive a cybersecurity event. Some managed service providers (MSPs) even now require that their clients carry cyber insurance, declining the risk of working with businesses that don’t.

However, many SMBs—and even the MSPs they rely on for expert guidance in cybersecurity matters—still don’t fully grasp the importance of adequate cyber insurance and the tremendous risks they face without it. These organizations and their partners may similarly have inaccurate notions of what size of a cyber insurance policy is appropriate, the lengths they must go to demonstrate effective cybersecurity practices, and how to vet cyber insurance providers to ensure trust.

Let’s set these misconceptions straight.

SMBs, look out

In general, small- and medium-sized businesses require a wake-up call to shatter their false sense of security. Although cyberattacks on SMBs don’t make media headlines like major enterprises, the fact is that cyber attackers actually prefer to go after SMBs, because they’re usually soft targets.

SMBs often falsely believe they’re not on attackers’ hit lists, or that an incident such as a ransomware attack will only impact their systems for a few hours. In reality, they are attackers’ prime targets, and most ransomware attacks lock up systems for days or weeks. The bottom line: 75% of SMBs would go out of business if struck with ransomware. Effective cyber security and cyber insurance mitigate that extinction-level risk for SMBs.

How much cyber insurance does an organization need?

Cyber insurance policies are broad, and choosing the right coverage is essential to an organization’s survival in the aftermath of an incident. MSPs and cybersecurity experts can offer crucial guidance in selecting effective policies and making sure that organizations meet all policy requirements.

As a best practice, businesses should carry coverage equaling at least 15% of their annual revenue, or $1 million minimum. Policies may include first-party coverage for the company’s costs caused by an incident, and third-party coverage for costs relating to their customers or other parties. Policies may include sub-limits and exclusions as well. A policy with $1 million dollars in coverage might have a sub-limit of just $50,000 for ransomware incidents. A policy with an exclusion for social engineering-based attacks—an exceptionally effective method for attackers today—would leave a business covering its own costs for such an incident. This is why thorough attention to policy terms and conditions can make or break an organization when it’s time to put in a claim.

Cyber insurance (still) requires robust and compliant cybersecurity

Trust me, cyber insurance providers don’t stay in business by insuring organizations with bad security. Businesses must pass a risk assessment and security questionnaire to complete the underwriting process. Such risk assessments are usually based on established regulatory frameworks such as the NIST Framework and others. Therefore, effective cybersecurity is a requisite for cyber insurance. Businesses must implement comprehensive tooling, such as data encryption, access control, multifactor authentication (MFA), automated threat monitoring and mitigation, logging and reporting, and more. For this reason, I recommend multi-faceted security tools to organizations, such as BeachheadSecure, which meets 76% of NIST requirements, and Acronis in order to start checking a lot of boxes and set the table for a successful cyber insurance partnership.

All that said, having effective cyber security isn’t enough: organizations must carefully document protections to ensure approval of cyber insurance claims. For instance, a business required to implement MFA on all endpoint devices needs to have screenshots and documentation ready to prove that even newly added devices have those contractually necessary safeguards in place, and that they were active as an incident occurred.

Be wary of traditional insurers

Cyber insurance is a specialized product requiring expertise on the insurer’s part as well. Unfortunately, some traditional insurers began to offer cyber insurance in recent years without acquiring the knowledge to do so correctly. The result has been horror stories, as these providers fail to correctly explain policy requirements to customers and then deny their claims for failure to meet those unclear requisites. Just as cyber insurers vet potential customers, organizations should carefully vet their insurers as well, and stick to trustworthy proven cyber insurance providers.

Protect your organization before and after an attack

Comprehensive cyber security and cyber insurance play an overlapping role in protecting organizations from the potentially devastating impacts of a cyberattack. Cyber insurance providers require organizations to implement robust security processes, and insulate them from the consequences if those measures nevertheless fail. By selecting the right cyber insurance strategy and policy, businesses can take peace of mind that they will survive anything attackers throw their way.

About the Author

John Reith is a Partner Success Manager at DataStream Cyber Insurance. He joined the company in 2021 from Forecastable, and has also held channel roles at Time to Reply and Seynd. John lives outside of Austin, Texas. He can be reached via LinkedIn https://www.linkedin.com/in/john-reith-vii/ and at https://datastreaminsurance.com/