It has become difficult to avoid the headlines and conversations about cyber attacks impacting businesses lately. You might be tired of hearing how sophisticated cyber attacks are increasing in prevalence, but this is more than a scaremongering tactic. Across the 2021-22 financial year, the Australian Cyber Security Centre (ACSC), the Australian Government’s lead agency for cyber security, reported a 13% increase in attacks from the previous year.
As cyber risk increases, so do the number of businesses looking to take out cyber security insurance. Cyber insurance is a type of coverage designed to protect individuals and businesses from the financial losses and liabilities that may arise due to cyber incidents and data breaches. As cyber attacks increase, so have insurers’ premiums, exclusions and standards for their clients. If you plan to take out cyber security insurance, here is what you need to know before investing in it.
Current trends in the cyber security insurance market
If you already have cyber insurance, you might notice that your premiums have increased or renewing your insurance comes with new conditions. The market has changed quickly in recent years as the sophistication and frequency of attacks have increased. A few of the key trends include:
Insurers have increased their premiums
One of the most prominent changes in the cyber insurance market has been that many insurers have increased their premiums. A key reason for this is the value of ransom demands; the average demand in 2021 was US$170,000, and in 2022 it rose to US$800,000.
As the number and complexity of these attacks grow, insurers bear significant financial risk. They have to factor in the potentially high costs of responding to a breach, including financial loss, legal expenses, and public relations efforts. These increased premiums can strain budgets for businesses looking for cover, especially small to medium-sized firms.
Insurance now has more exclusions
Cyber insurers have increased the number of exclusions in their policies as another measure to protect themselves. These exclusions include limiting, clarifying and excluding certain losses from cover; for example, some insurers do not cover ransomware-related incidents. Your cyber insurance policy might oblige you to maintain appropriate procedures and controls to protect against cyber attacks. They might also deny a claim if you have not upheld the approved level of security protection specified in your policy.
Obtaining cyber security insurance has become harder
Both of the above factors combined mean that you will have to consider changing your organisation to secure cyber insurance. As cyber threats grow more sophisticated, insurers are becoming more selective about who they insure. To secure coverage, you will have to demonstrate your efforts to maintain appropriate policies and controls to protect against cyber attacks.
How can you reduce the impact of these trends on your business?
It’s important to note that taking out cyber security insurance should never replace a good cyber security strategy. Cyber insurers want to discourage this approach, so you’ll have a better chance of securing insurance if you use the following measures. Aside from improving your chances of obtaining insurance, these measures also reduce your likelihood of filing a claim.
1. Enforce multi-factor authentication (MFA)
MFA requires multiple forms of validation before verifying your identity. Enforcing MFA significantly bolsters security as it becomes much more difficult for a threat actor to access your systems if they only have a password. Insurers view MFA adoption positively, and proof that your organisation uses it will help when applying for cyber insurance.
2. Train your team to recognise threats
Cyber security training gives your team the tools to recognise and flag threats such as phishing emails, ransomware, and other forms of malware. Including modules on phishing attacks allows people to identify the subtle cues of such attempts, whether via email, text messages, or malicious websites. Regular training not only reduces the likelihood of a successful cyber attack but demonstrates to insurers that you have covered the human vulnerabilities in your business.
3. Implement access controls
Access controls restrict who can view or use resources and data across your organisation. This strategy differentiates access levels based on roles; for instance, the CXOs will have different login credentials and access levels than your front desk team. These policies limit internal threats, including those posed by disgruntled employees or people who may not have access rights promptly revoked after leaving the organisation.
4. Establish managed detection and response (MDR)
MDR, handled by a Security Operations Centre (SOC), proactively monitors your systems for anomalies and potential issues. MDR improves your cyber security posture with 24/7 monitoring for threats and will likely find issues before you notice anything wrong. Cyber insurers will look favourably on organisations with a SOC monitoring the business to reduce the chances of an attack.
5. Use an email filtering solution
Email filtering scans incoming emails to detect and block potential threats. It mitigates threats by reducing the number of phishing emails that land in your team’s inboxes. Cyber insurers encourage this type of protection and will consider it when covering you.
6. Complete an incident response plan
A cyber incident response plan is a document that covers your strategy for managing and recovering from cyber security incidents. When requesting cover from a cyber insurer, you will likely need to present this document as evidence of how you will respond and recover from an attack.
7. Create a backup and disaster recovery strategy
A backup and disaster recovery strategy involves regularly backing up critical data and establishing clear recovery procedures from a data loss incident. A robust backup and disaster recovery strategy ensures your business can recover and continue operating in the event of a cyber security incident. Backups should be secured and encrypted to protect against unauthorised access and routinely tested to confirm the integrity and effectiveness of the restoration process. From an insurance standpoint, it demonstrates risk mitigation, which could translate into more favourable insurance terms.
Cyber insurance has become a tricky product to obtain, with high premiums and selective insurers increasing the standards for coverage. As such, your business should focus on using the resources available to enhance your cyber security measures and improve your chances of gaining cover.
Your business can implement access controls, align with recognised security frameworks, adopt a risk-based approach to cyber security, train teams to recognise threats and establish a robust backup and disaster recovery strategy. These practices will protect your business from cyber threats and positively impact your standing with insurers, potentially leading to more favourable insurance terms.
RODIN can guide you in strengthening your cyber security measures
We offer a comprehensive suite of cyber security services that we can tailor to suit your business’ unique needs, providing you with the most effective security possible. When you choose RODIN, you choose more than a company capable of deploying the right solution; you gain a strategic partner that delivers innovative solutions without breaking your budget.
Visit our Cyber Security Services page for more on the RODIN difference.