Keeping a lid on cyber insurance costs

David Higgins at CyberArk explains how to justify, and reduce, the cost of cyber insurance

 

Cyber insurance has skyrocketed, jumping from being a completely new product to becoming an expensive, but almost essential, business purchase. It tracks the similarly rapid rise in cyber attacks, morphing from a rare event to simply part of the business landscape.

 

The latest Allianz Risk Barometer offers a bleak picture of the commercialisation of cyber crime, identifying the ease with which attackers can carry out devastating attacks. And our latest Identity Security Threat Landscape research illustrates the consequence; that over 70% of organisations experience two or more ransomware attacks annually.

 

In the face of two equally unattractive options – a high insurance premium or huge monetary losses in the face of a cyber attack – many businesses are unsure about how to protect themselves against this new threat.

 

Usually, insurance is considered to be a worthwhile form of risk mitigation. But it’s a less obvious benefit here. Luckily, a little scrutiny of the factors at play might just offer a safer and more cost-effective answer.

 

Insurance in a cyber world

The threat might be relatively new to the world of business, but it’s clear that cyber attacks are not going away anytime soon. So, we ought to add them to the list of eventualities we can be certain we need to prepare for – death, taxes, and now cyber attacks.

 

Thus far, the predominant strategy has been a home brew mix of cyber security practices. We’re seeing the beginnings of universal standards and government guidelines, but the reality is, we haven’t cracked a consistent approach.

 

A recent DCMS report revealed that half of all businesses have just one person responsible for cybersecurity across the entire organisation – and even when the team grows, it’s not likely to surpass five members, no matter the size of the business they serve.

 

What’s more, these organisations are lucky to have a cyber security manager at all – around 697,000 businesses identified a basic cyber security skills gap, meaning over half are wildly underprepared for the threats they face. In place of having their own defences, businesses are increasingly turning to insurance policies for protection, although it’s turning out to be an expensive route.

 

We know the enemy of insurers is uncertainty. They have teams of actuaries calculating every possible risk factor to determine the likelihood of a claim against your car, life, or house to balance their books, and they’re usually right. Some may argue the steep increase in insurance costs are simply the result of a nascent market settling.

 

But cyber insurance premiums jumped by 25.5% last year alone – compared to an industry average of 8.3% - and insurers are becoming more reluctant to sell policies at all, which tells us it’s a little more than teething problems. The lack of certainty a business is cyber secure alongside being unable to predict the outcome of an attack seems to be reducing the all-knowing wizards to simply covering all their bases with a big fat cheque.

 

There is, however, a soft spot in between what appears to be a rock and a hard place. If insurers need a little certainty, it’s not hard for businesses to offer it – while actually reducing risk, and therefore premiums, in the process.

 

Get ahead of the game

Our recent threat landscape research showed that many businesses were scared off by high premiums, deciding to go it alone. However, once a cyber attack had unfortunately occurred, they seemed to regret this approach – with 76% of cyber insurance policy holders purchasing after having suffered a ransomware attack in the last 12 months.

 

This certainly seems like the worst of both worlds – having to cough up the money to cover the damages yourself and pay the high insurance premium. So, it pays to definitively pick a strategy ahead of time.

 

Damages caused by a breach incur the heaviest costs, likely needing new partners and technologies to fix issues, downtime and engineers to rebuild parts of your cyber infrastructure, and potentially face lawsuits and regulatory fines at the end of it.

 

If you choose to go it alone, it’s best to prepare these partnerships and emergency plans ahead of time so you aren’t caught in a panic when the time comes. It affords you more options and lower stress levels overall.

 

Boiling the ocean is futile and expensive

A gut reaction can be to attempt to secure absolutely everything in your system. But cyber security is complex, requiring carefully constructed layers to cover a multitude of user accounts and digital assets. Pursuing this approach will be both futile, and expensive – a tad like attempting to boil the ocean.

 

Instead, auditing your user accounts and identities will reveal a lot about your security posture (and be a lot more convenient). A business can easily have four to five times as many accounts as employees, so an audit will reveal which are the most important and their level of risk. This can inform policy around account management, creating security and closing gaps. In addition, you can selectively decide which assets actually need to be insured.

 

Presenting a house with a good lock and no cracks in the walls will be an attractive offer to an insurer, not only allowing you to negotiate better premiums but to be more confident in your initial defences.

 

It’s time to step up

When focusing on evaluating the potential viability of cyber insurance, it’s easy to let the actual goal slip out of sight; to mitigate the effects of a cyber attack. Good security practices should remain at the heart of a successful cyber security strategy, offering businesses the peace of mind their most critical assets are protected. After all, you would never leave your front door open content in the knowledge your home insurance policy was there to protect you.

 

It’s important to reflect upon and acknowledge the threats businesses face today, and understand even robust cyber security defences can be circumvented. Insurance, then, offers a reassuring plan B. Regardless of which path a business opts for, taking steps towards putting those key policies in place will both keep costs, and risk, down.

 

---

 

David Higgins is Senior Director, Field Technology Office at CyberArk

 

Main image courtesy of iStockPhoto.com