How to Get the Most Out of Cyber Insurance

COMMENTARY

Cybersecurity insurance is the fastest-growing segment of the global insurance market, and there's a good reason for that. Cybersecurity has become one of the most critical requirements for organizations of all types — from small business to large corporation — as cyber threats remain constant. 

Unsurprisingly, cyber-insurance rates increased substantially from 2018 to 2022. Though overall cyber-insurance premiums began to decrease in 2023, many organizations are still seeing their rates rise.

Costs Are Increasing — for Those Able to Get Insured

The cyber-insurance industry is maturing just as quickly as cyber threats are growing in quantity, scale, and sophistication. As payouts and annual premiums increase, coverage limits are becoming more restrictive.

In a 2023 survey of US organizations, "79% saw insurance costs increase, with 67% facing an increase of 50-100%." Smaller companies, with fewer than 250 employees, were more likely to be denied coverage than large businesses (28% versus 8%). The primary reason small businesses were rejected was their lack of security protocols.

The good news is that the work you do to strengthen your organization's overall security posture and identity hygiene is also the work that will satisfy many of the compliance requirements underwriters are looking for — resulting in better security protections and better insurance coverage and premiums.

Tips to Ensure Affordable Cybersecurity Protection

Self-assess: To help with the process, proactively self-assess your risk profile and ask yourself the hard questions before the underwriters do. Conduct a thorough self-assessment of your current cybersecurity posture, identifying strengths and weaknesses.

This process has two main benefits: 

Don't underestimate risks: Make sure not to underestimate your company's or industry's risks. Everyone is vulnerable to cyberattacks, not just traditional high-risk sectors such as financial services. In recent years, we've seen cyber incidents across many verticals, including healthcare, energy, and retail.

Insurance providers categorize rates based on industry-specific risks, comparing you to your peers in the process. Understand your sector's unique vulnerabilities — even if you haven't had to worry about them in the past—and be prepared to demonstrate how you're addressing them. 

Know your coverage limits: That leads me to my next piece of advice — understand your coverage limits. Thoroughly review the limits, sublimits, and exclusions in your policy. Pay close attention to what the coverage provides in terms of the full scope of potential losses, including third-party liabilities and regulatory fines. You can often negotiate terms, including specific clauses and deductibles, during the process.

Not all policies are the same. Many insurance providers focus on particular verticals or demographics. They each have different views of risk and leverage a range of data points to make their decisions. Do your research on individual providers to find the best fit for your organization so regularly review your policy. The threat landscape is always changing, and the coverage you need may evolve along with it. Conduct periodic reviews of your policy well ahead of your renewal term date to make sure it is still meeting your needs.

Understand your requirements: It's important to pay attention to the compliance requirements. Many policies explicitly call out compliance requirements. Failing to meet these standards can result in having your claims denied. Carefully assess your policy's requirements to verify that you are fulfilling them.

When engaging with insurance providers, be ready to show your work. Demonstrate the effectiveness of your security controls, particularly those related to identity hygiene. If you're renewing your policy, show how you've matured your approach to cyber-risk since your last assessment. What tangible improvements have you made? What products are you using to automate processes?

Focus on areas that underwriters prioritize, such as privileged access management and credential protection. Quantify your progress by highlighting reductions in accounts with administrative access or new requirements for regular password updates. Providers are looking for year-over-year maturity — moving from ad hoc, manual approaches to clean, consistent, automated, and sustainable hygiene practices. Be sure that you are getting full credit for your hard work.

Conclusion

As cyber threats continue to evolve, so must our approach to mitigating them. Bolster your cybersecurity posture in a holistic manner — self-assessing your risk profile, addressing vulnerabilities, and striving for continuous improvement — and you can better safeguard your organization against threats and control your cyber-insurance costs.

Prepare for increasingly rigorous risk assessments from providers moving forward. Underwriters now have access to extensive data about cyber threats and protections. Expect them to ask more granular questions and do deeper inspections into the efficacy of controls, especially those around identity-related risks, such as privileged access and credential theft. Anticipate their questions, and be prepared with comprehensive, up-to-date answers.

Cyber insurance should augment your cybersecurity strategy, not replace it. Prioritize implementing robust, ongoing cyber practices that protect your organization.