Cyber-insurance planning for businesses

Joseph Carson at Delinea shares some tips on how to ensure that the most comprehensive cyber-insurance is available, at the optimal price

As the typical cost of a data breach now stands at more than £3 million, cyber-insurance coverage has become more important in helping companies pay for damages, repairs, and other associated expenses. It’s fast becoming a vital safety net that could save a business should the worst happen.  

According to our latest study, 79% of companies experienced a hike in their insurance premiums in 2022 which was seen as a massive overcorrection in prices. Cyber-insurance prices were again adjusted in 2023; and, with cyber-threats escalating, insurers are tightening their policies and expecting businesses to demonstrate more robust security preparedness.

To help businesses have the right processes in place to keep up with the higher standards of cyber-security expected by insurers, we share our top tips for businesses to consider before and during the application process.  

1: Start preparation early

As requirements from insurers are getting tighter, the length of time needed for an application is also getting longer, and six months or more can be necessary for larger organisations. Thorough groundwork is important to keeping the process running smoothly, and this begins with a rigorous cyber-security risk assessment, pinpointing potential vulnerabilities and establishing a robust risk management framework.

This groundwork is crucial for understanding the specific cyber-risks your business faces, and needs to start well in advance of renewing or applying for the first time. 

2: Read the small print 

As cyber-risks evolve, so do the criteria for cyber-insurance. Companies should carefully read and understand their insurance terms, especially when they update their coverage. Changes in policies, including alterations in deductibles, the definition of incidents, and the modifications of exclusions, such as attacks by nation-states, can greatly affect the coverage provided.

Terminology can also change between providers so check that your understanding of commonly used terms is aligned with your provider.   

Insurers are continuously updating their requirements and policies based on the most common attack vectors and techniques. This dynamic environment means that what qualifies for coverage today may not suffice tomorrow. For example, how companies handle and protect data with third-party providers is now more important for insurers and, businesses that want to qualify for insurance need to meet these changing requirements.  

Your cyber-security partners or providers can also support in this process and deliver insights into cyber-defence strategies that will future proof you in this fast-changing cyber-security landscape. 

3: Protect access to systems 

Insurers are looking for concrete evidence their prospective policy holders have robust cyber-security measures in place. As any account or identity can be a route in for a cyber-criminal, measures to protect user identities are now particularly important. This includes the deployment of Identity and Access Management (IAM) and Privileged Access Management (PAM) systems, which safeguard against unauthorised access and manage sensitive credentials effectively. Just under of half of respondents in Delinea’s research reported IAM and PAM as requirements from their insurance providers. 

Multi-Factor Authentication (MFA) is also one of the most commonly required technical capabilities from insurers, as it provides an additional security layer that significantly lowers the risk of data breaches. 

4: Prepare and test incident response plans 

Providers will also be expecting well-defined incident response plans that enable swift action in the event of a cyber-attack.  Such preparations not only strengthen a company’s security posture but also demonstrate to insurers a commitment to mitigating cyber-risks. 

It’s far better to flag and rectify any problem areas in a practice scenario so make sure this isn’t just a theoretical plan that works on paper. Conducting a series of real-life simulations will ensure that each member of the organisation knows how to respond during an attack and that plans can be fine-tuned.  

5: Training the workforce

Cyber-security isn’t just about processes and technology; people are another critical factor.  Training the team is essential so that staff can also act as an initial line of defense by spotting and reporting cyber-threats. This will reduce any organisation’s susceptibility to phishing attacks in which cyber-criminals will use a range of social engineering techniques to deceive victims. 

This approach demonstrates a shift from merely reacting to threats to actively minimising cyber-risks. A strong training program and comprehensive cyber-security policies fortify your company’s defences and signals to insurers your firm’s dedication to maintaining the highest levels of cyber-security.  

6: Keep an eye on regulatory changes  

The good news for companies working towards compliance with regulations is that they’re not only strengthening their company’s cyber-protection but could also be meeting many of the same requirements from insurers. It pays to keep a close eye on regulatory changes as well as what’s happening in the cyber-insurance market to safeguard continued coverage. 

In the US, for example, new cyber-incident disclosure rules from the SEC are expected to complicate coverage moving forward. 

The golden rule is that, to stay ahead, organisations need to maintain a proactive cyber-security stance, regularly review and update their security measures, and keep abreast of market trends and insurance offerings.

Considering the escalating costs of data breaches, the importance of cyber-insurance cannot be overstated. Ensuring adequate coverage in this ever-changing market is paramount, not only as a financial safeguard but as a strategic component of comprehensive risk management.

Joseph Carson is Chief Security Scientist and Advisory CISO at Delinea

Main image courtesy of iStockPhoto.com and blackdovfx