Strategies for Successful IT Security Investments in Cyber Insurance
Any conversation on cyber insurance must take place in the context of your broader security strategy in order to succeed.
Cyber security events do substantial damage to businesses and even force some to close.
It’s essential for any business to have two things.
A comprehensive cyber security strategy.
Even with the best strategy in place, incidents can happen, and cyber coverage is in high demand.
The problem companies run into is leaping into a discussion on insurance coverage without the context of a larger cyber security strategy. Your strategy and coverage must be coordinated both to avoid overspending and to ensure you have the best solutions in place.
We sat down with a few experts in the cyber insurance field to get some insider guidance on establishing coverage.
Step One: Conduct a Cyber Insurance Analysis
Your first step is an in-depth analysis of your current telecom and IT environment to see where your potential gaps are.
Kevin Holland, Cyber Risk Adviser with Lockton Companies, says there are many factors in the cost of cyber insurance, factors like size of business, revenue size, retention level, security protocols and protections, and the type of coverage you want.
So, a thorough review of your environment helps establish your cyber security goals and secure the right coverage.
At this stage, you should ask questions like:
How much are we willing/able to invest in security?
Where does insurance fit with the rest of our security strategy?
Where is insurance truly needed? Some security measures are sufficient or can be enhanced without redundant coverage.
How much will it cost to keep our business running or to recover if there is an event?
The investment and cost of cyber insurance varies greatly from business to business. It’s important to ask yourself these questions to get an understanding of what needs to be covered and what you can afford.
Step Two: Determine Your Repair Period to Find the Right Level of Coverage
One of the biggest areas of cost your company needs to evaluate in the event of ransomware is your repair period.
The repair period is the time it takes after a security breach to recover your data and resume normal operations.
This period can range anywhere from 2-3 weeks up to a few years! You need to determine:
What your repair period is.
How much it will cost.
You also need to consider the need to pay out a ransom on top of your repair period costs.
This will determine your initial needs for coverage. However, the results of this exploration often surprise people. You’ll want to follow this study by developing a strategy to shorten your repair period as much as possible.
Step Three: Make Sure You Meet the Security Standards for Cyber Insurance Eligibility
Just like any form of insurance, there are minimum standards you must meet to be eligible for cyber insurance coverage. Many companies reach out to an insurance rep only to find out they have a good deal of work to do before they can protect their business.
Our colleagues at Lockton provided some of the minimum security protocols and requirements that must be met. Though there may be other specific requirements for your business, these are the common, foundational elements which must be in place.
Multifactor Authentication (MFA)
Segmented Backups – or moving to the cloud if the cloud offers MFA. This protects you from a full deletion after receiving instructions to delete your backup, and it maintains data encryption.
Endpoint protection and response
Intrusion prevention/detection system
Business continuity or disaster recovery plans with a ransomware-specific response and recovery plan
In addition to those foundational elements, there are also ongoing security requirements which must be maintained.
Regular security training for employees
Evidence of a patching/repair process
Dedicated vendor risk management resources in your IT department
Regular testing of your documented incident response plan
Clear policies and procedures for administrators/privilege users/service users
Established process for the end-of-life of a software program
Encryption and purge process for personal information
In some cases, the insurer will allow a certain amount of risk in these factors, but any elevated risk will affect your rates and eligible level of coverage.
Step Four: Conduct a Thorough Review of Your Proposed Policy
It’s important to take a deep dive and look for things like how the insurance company addresses business income losses, ransomware attacks, contingent business interruption, and voluntary shutdowns.
A thorough overview will help you understand the missing pieces the cyber insurance policy doesn’t cover which are essential to your business.
Cyber Insurance Coverage Costs are Rising
Insurance brokers are warning companies that the cost of cyber insurance is rising fast.
According to Kurt Wallace, Agency Manager, and Jack Ziltz, Commercial Property and Casualty Broker, of Cornerstone Companies, there is a projected 25%-100% increase in price coming in 2022 and 2023.
Some experts will present Cyber Insurance as an either/or proposition. Some advise investing in as much as possible in cyber insurance while others say to redirect those funds to internal training and security protocols.
Instead, Kevin Holland of Lockton Companies suggests,
Let's take it upon ourselves to make sure we have the very best safety implementation programs. Let's make sure we've got great training and security measures for our employees, so that when we do have a phishing scams incident for example, multifactor authentication is in place…I think there's a nice balance that can be made between the investment you make in your own security, and what you do to protect your balance sheet at the end of the day.
There’s a balance to be found. Insurance can’t and shouldn’t be your only protection. It should be a safety net underneath your security protocols and training.
For Most Businesses, Cyber Insurance Implementation Requires Guidance and Additional Resources
The process of integrating cyber insurance with a broader cyber security strategy puts a strain on any IT team.
At the very least, there’s a need to:
Conduct an in-depth, strategic assessment of your infrastructure.
Rethink your security strategy.
Implement necessary changes and coordinate the changes with your vendors.
Interact and negotiate with cyber insurance representatives.
Our experts at Serviam specialize in coming alongside expert teams like yours to assess your infrastructure, guide you in strategy development, and manage the negotiations and necessary changes to your telecom and IT services.
We provide the vendor-neutral guidance and additional manpower needed to deploy a cyber insurance solution tailored to your business needs. To find a clear pathway forward, schedule a consultation with us here at our website.
Serviam’s process is simple.
We listen and assess your unique telecom situation.
We guide you through a custom roadmap to better technological and contractual solutions.
We manage your transition so you have the best possible experience.
We stay with you to make sure your vendors continue to support your ever-changing business requirements.
Our Telecom and IT Vendor Management service goes far beyond managing costs or negotiating contracts. We guide you through a holistic, future-forward telecom strategy for your company and provide you with a long-term partner who manages your vendor relationships so you can focus on the road ahead.