With the price of cyber insurance soaring, we asked Kevin Brown, the COO of global cyber security company, NCC Group, about how companies are using cyber insurance and best practices for getting the most value.
Bob Scheier: With costs so high, what percent of companies are using cyber insurance?
Kevin Brown: It’s no longer a case of “Are they buying cyber insurance” but “To what level are they buying cyber insurance?” Much like car insurance, the question is what level of coverage they are buying and what they are willing to pay. What does it mean to be cyber insured and what are the acceptable risks? It’s a business decision based on what risks the enterprise faces and what is affordable.
How quickly are cyber insurance premiums rising and are they too expensive to be worthwhile?
Cyber insurance premiums rose by around 45% in 2022, on top of about a 25% increase in 2021. Whether it is too expensive is always a question, and there are still too many people who try to answer that only after an attack. Some risks are easy to quantify, such as the cost of your physical assets or the cost of your infrastructure. But sometimes it’s very difficult to quantify the value of your intellectual property. Sometimes you only know its value if it’s been stolen or subject to misuse.
You also need to choose where you will be cyber insured. In some cases, clients face risks in their supply chains or might need cyber insurance as a contractual requirement to supply a customer. Especially for smaller businesses, the decision to take out cyber insurance is not just a monetary commitment but to meeting what can be strenuous security standards before an insurer will issue a policy. Some insurance companies are sending surveys with more than 300 questions asking for details about your organization, your infrastructure, and your risk management process before you even get a quote for a policy.
Do cyber insurers work with their clients to improve their security, much like property insurers work with clients to reduce physical risks?
We find cyber-insurers partnering with cyber risk quantification companies. This enables companies to perform a quantifiable analysis of their cyber risk profiles from the outside in and the inside out, including analyzing factors such as human error. It gives you a very objective base for quantifying the threats.
Insurers will reduce a customer’s premiums if a client is willing to undergo an ongoing industry standard security assessment. It’s like car insurance, where the insurer will install a black box in your car and reduce your premium if it shows you are driving safely. We are starting to see a similar, more dynamic approach to cyber insurance and evaluating a client’s risk, which is a positive. I think we’re going to see more and more of this.
The threat landscape has changed significantly. This has been the worst year on record for ransomware attacks with somewhere near a 150% increase year-over-year. We’re also seeing a broader scope of players involved in these attacks. We’re seeing initial access brokers (IABs) who have the tools to penetrate a company’s defenses and then sell access to the organization for as little as 50 for a small organization to upwards of £5,000 for a large enterprise. To counter these threats, you need continual assurance, not a point in time check. That’s where attack surface management solutions, that constantly monitor and manage connected assets for vulnerabilities, can assist.
Could this continuous auditing be a win for both insurers and clients?
Yes. Operating with the proper controls to lower your risk can be a competitive advantage. Often, security has been seen as holding an organization back from being agile. But customers buying products and services want to know their data is being protected. It’s been proven through numerous surveys that consumers are more likely to do business with an organization if they know that organization will do a better job protecting their data than others.
What should a CIO or CTO do to most effectively manage their cyber insurance strategy?
We still see many clients who don’t understand the total extent of their IT estate and what they need to protect. If you don’t know the full extent of your enterprise, how can you intelligently start to negotiate on the level of coverage you need and how much you’re willing to spend? Invest the time to ensure you understand the assets you’re seeking to protect. Understand what the crown jewels of your business are. If there were things you had to sacrifice during an attack or leave uninsured, what would they be? What assets are critical to maintaining your business continuity and keeping your customers satisfied? When you get to that point if you’re negotiating the level of cost for cybersecurity insurance and you would compromise in insurance to minimize costs, you have a very good starting place.
Another point is to understand that if you have not been attacked already, you will be. What is your incident response plan? You also need to test those plans for how well you can maintain business continuity and support your customers during and after an attack.
What else should organizations do in the cyber insurance area?
Don’t be complacent and seek independent validation and an outside security assessment to understand whether you are driving value from the security tooling you already have. If you have gaps, understand what other security tools and processes are being used in the industry and what best practices you’ve not already implemented. The current trend is to use security monitoring tools and services that examine not just the organization’s own network and their IT estate, but their ecosystem of suppliers and partners.
How does the cloud affect cybersecurity insurance decisions?
Cloud providers continue to invest heavily in security. But how workloads actually operate in a hybrid environment of on-premise infrastructure and multiple clouds raises new risks. How do you minimize the movement of data to and from the cloud, which is when it is most vulnerable to attack? Many organizations are looking at how they can avoid moving data unless it must be moved and performing analytics on it in place. We are helping a number of organizations understand their operating model and how applications interact with data and the resulting security challenges.
Every organization should be taking the right steps to understand what they need to insure, and how much that insurance is worth to them. Keep your business and customer needs top of mind and remember that cybersecurity insurance is part of your overall security strategy – it cannot be your only strategy. Insurance plus an understanding of your risk profile can thus ideally become a competitive advantage for you.