Cybercrime has evolved into a multi-billion-dollar industry. As cyber risk grows, a sound cybersecurity program helps create a healthy risk profile, empowering enterprises to underwrite that risk with cyber insurance policies.
Cybersecurity risk is continuous, omnipresent, and costly. Its management continues to face an unpredictable threat model and costly consequences. According to the FBI, between 2017 and 2021, there were a whopping 2.71 million complaints of cybersecurity breaches at a cost of $18.7 billion. The average cost of a ransomware attack, for example, rose 82% between 2020 and 2021, with the average payout presently hovering around $570,000.
Maintaining a healthy cyber risk profile balances risk avoidance, acceptance, mitigation, and transference. Some cyber risks can be offloaded to third-party insurance carriers who cover large cyber losses should a compromise occur. This approach can help a firm smooth the rough edges of its cyber risk.
Insurance carriers are careful to issue cyber insurance policies and only underwrite organizations that fit within their risk tolerance. There is increasing pressure on organizations to substantiate their risk via cybersecurity programs before insurance carriers issue cyber policies.
A strong cyber program with a solid focus on important areas is crucial for those seeking cyber coverage today.
The Relationship between Cyber Insurance and Your Cybersecurity Program
Attaining cyber coverage from a third party can help an organization weather events that fall outside its tolerance for loss—if they are insurable and the cost is within their means. Insurers evaluate different variables within the control of those they insure by looking at the elements of their cyber program. Enterprises must demonstrate that they maintain a healthy cyber risk profile via a robust security program.
Maintaining such a profile is about finding the right balance of risk avoidance (avoiding risk-taking activities), risk acceptance (weathering the storm when it hits), risk mitigation (implementing controls that reduce the likelihood and impact of a cyber event), and risk transference (offloading some risk to third parties). A sound cyber program helps mitigate risk, helps make an enterprise insurable, and reduces premiums and deductibles when insured.
Many variables—some controllable and some not so controllable—will influence an insurance carrier’s issuance of a cyber insurance policy. It all comes down to controlling what you can and achieving a risk profile that carriers are willing to back. Your cyber risk mitigation strategies must be sound.
How can you achieve an optimal risk profile and offload a reasonable amount of risk to an insurance carrier via a paid policy?
In our interactions with cyber insurance carriers and other stakeholders who are insured, we’ve come up with ten concise recommendations to optimize your cyber risk profile:
Ten Recommendations for Optimizing Your Cyber Risk Profile
- Install leadership that will plan properly and execute a rigorous cybersecurity program. Examine your landscape. Identify gaps between present and future. Lay out your plan to fix the gaps and achieve a reasonable, if not exemplary, risk profile.
- Manage your data. This effort begins with a solid discernment of critical data and where it resides. Once you understand your data, implement a layered set of preventive and detective controls to protect that data.
- Manage privileged user and system accounts. While you would ideally have complete accountability for all user accounts and activities, Privileged (admin/super user/root) accounts provide attackers with an extremely fertile attack surface. This also provides access to less privileged accounts. Managing all accounts with access to critical business functions and highly sensitive data is essential for an effective cyber insurance policy.
- Implement multi-factor authentication (MFA) for all external systems. Multi-factor authentication is an essential weapon in a company’s security arsenal. It is essential for all user accounts of all externally accessible corporate and third-party environments, not just for privileged users or admins.
- Focus on endpoint detection and response (EDR/XDR). Endpoints are often the first line of defense and regularly the last line of defense against cyberattacks. Endpoints are where users interact most and are extremely vulnerable to attacks that target those end users. Evaluate EDR/XDR solutions carefully and select a product that protects endpoints from malware and hostile attacks.
- Implement a robust incident management program. Have one designed to detect attackers quickly and repel them as quickly. Strive for a program that fuses disciplines from multiple areas of the enterprise (e.g., business, IT, Security, AML, HR, legal, fraud, and privacy), is tested continuously through red/blue/purple team exercises, and is practiced and updated regularly.
- Direct efforts to asset management, hardening, patching, and vulnerability management (hygiene). Manage assets for an updated inventory of systems appropriately hardened, patched, and kept up to date.
- Manage application and infrastructure growth and lifecycle (AGL/IGL). Keep an inventory of systems and applications, so software and firmware do not reach the end of their useful lives. Maintaining legacy, out-of-date systems can carry over to maintain insecure protocols and applications on systems that are up to date, putting them at risk too.
- Be attentive to third-party risk management. While a third party may share some of your risk, they can’t fully absorb your risk; their failures tend to become your own. Vet and manage all third parties continuously and not just at inception. Hold them accountable when they act outside the scope of service-level agreements and make your processes and data vulnerable.
- Have a robust plan for business continuity and disaster recovery in the wake of a cyber breach. Have a robust, practiced recovery plan focused on what’s needed for recovery. Conduct a robust business impact analysis and build a business continuity and recovery plan around it.
Mitigating Risk to an Acceptable Level
The acquisition of cyber insurance, like other forms of corporate insurance, is helpful to offload cyber risk and manage events that could otherwise threaten the firm’s ability to maintain itself as a going concern. Managing risk to the right levels of acceptance, avoidance, and transferring it elsewhere—such as to an insurer—is essential to help mitigate it.In the end, a balanced risk profile, complemented by a well-managed, layered cybersecurity program, will not only help you acquire a favorable cyber insurance policy but may help you reduce your overall risk of cyber events and costly security breaches and compromises altogether.