Frequently Asked Questions About Cyber Insurance

What is cyber insurance?

Link copied

What is cyber insurance?

Cyber insurance provides insurance coverage for events including data breaches, downtimes, and cyberattacks. Cyberattacks may include malware, ransomware, phishing, DDoS, hacking, insider threats, and more. Offerings and coverage will vary depending on the policy issuer.

How should companies look at the cost of ransomware vs. cyber insurance?

Link copied

How should companies look at the cost of ransomware vs. cyber insurance?

Ransomware costs continue to rise year over year. According to the 2023 Cost of a Data Breach Report from IBM, 24% of malicious attacks were reported as ransomware, and the average cost of a ransomware attack was $5.13 million, up 13% from 2022.

Sectors such as manufacturing and healthcare are often prime ransomware targets, due to the criticality of network or systems downtime and a stronger likelihood of the victim paying the ransom. One thing we do know is that the number one goal of ransomware operators is getting paid, so they’re incentivized to request a ransom that they think the organization can reasonably pay.

Understanding what your maximum loss is — given your IT infrastructure, and particularly your backups — will help determine what limit you can buy. Insurance in this case transfers the risk of the financial impact of a loss that you cannot mitigate through your own backups procedures.

Do you recommend paying the ransom?

Link copied

Do you recommend paying the ransom?

Paying off a ransomware operator is the last thing anyone wants to do.

Research shows that 80% of organizations who fell victim to ransomware paid the ransom. Of those who paid, 77% relied on cyber insurance policies to cover the payment. Even the FBI does not recommend paying the ransom, as 21% of organizations who paid were unable to retrieve their data from the cybercriminals.

To avoid paying the ransom, there need to be some key elements in place to mitigate having to pay, such as a full Disaster Recovery plan and a Business Continuity plan. If you don’t have valid backups, if you don’t have a plan in place, and if you haven’t tested or validated your backups, you may feel no choice but to pay it.

What about questions in cyber insurance surveys that are not applicable?

Link copied

What about questions in cyber insurance surveys that are not applicable?

Most cybersecurity insurance questionnaires have a N/A option, but you must provide feedback as a requirement as to why you marked it N/A. Many insurance companies encourage clients to complete an addendum document (a simple word document) along with the application, where they can then clarify their answer to any question that does not perfectly relate to their industry, network infrastructure, or other circumstance.

How do I prepare or defend my company from ransomware attacks?

Link copied

How do I prepare or defend my company from ransomware attacks?

Companies should follow industry-recognized frameworks for their security programs. Some follow NIST, CIS Controls, or MITRE, just to name a few. Each framework has slightly different ways of approaching security, but at the core they accomplish the same objective — providing a methodical security program to protect against bad actors. Consider the various frameworks out there depending on your industry, and then build your security program around it.

Following best practices for implementing security controls, creating and testing an incident response plan, and maintaining a comprehensive employee security awareness program are great initial steps to mitigating cyber risks.

Do insurers offer lower premiums if an InfoSec program is deemed excellent?

Link copied

Do insurers offer lower premiums if an InfoSec program is deemed excellent?

Companies with the best cyber risk profiles will get the lowest available premiums. There is no direct relationship between InfoSec controls and premiums savings, such as with a safe driver credit on auto insurance, or a sprinklered building credit on property insurance. However, if your agent is marketing your coverage to multiple carriers (which would be a good thing to do after investing in your network security infrastructure), then that may help you get the best premium available in the marketplace.

What are top things companies can do to reduce cyber insurance premiums?

Link copied

What are top things companies can do to reduce cyber insurance premiums?

It’s unlikely that your insurance premiums will go down year over year (at least for the time being); however, you can best manage how much they go up by presenting the best possible cyber risk profile to the marketplace. A Ransomware Supplemental Application showing key controls are in place is a big factor in this. Having these key controls in place is crucial:

• Patch and vulnerability management
• Multifactor authentication (MFA) for email, remote network access, and privileged/admin access. Use FIDO2 authentication for the most sensitive accounts.
• Removal of admin rights
• Perform user access reviews and ensure access is continuously right-sized
• Management of privileged accounts and secrets
• Backups that are encrypted and kept offline or in the cloud
• Employee Awareness Training
• Auditing of privileged activity and access
• Threat detection and response
• Cyber Incident Response Plan (that has been tested)

The best pricing will typically go to companies that have a 24/7 security operations center (whether in house or third party), have total control over their privileged accounts and service accounts, can show a proper patching cadence, and have no exposure to open ports. Most carriers do some kind of external vulnerability scan that detect these things. A good score helps push you into that best pricing category.

Insurance providers want MFA. Is this cloud, network or active directory?

Link copied

Insurance providers want MFA. Is this cloud, network or active directory?

Providers are primarily concerned with MFA for email, remote network access, and privileged admin access. Many also want any type of login to datasets, whether it be local, in the cloud, applications, etc., to be configured with MFA authentication. It’s also important to be able to prove that MFA is enabled.

We encourage companies to enable MFA wherever possible. Most people think of administrators as the ones with privileges; however, when one considers the basic user, their account, and everything their account has access to — they have privileges, too. You need to review an average user, what a typical account has access to — including HR Systems, Intranet, Company Apps, etc. Even if an application does not require an admin login, it may still be considered a privileged account.

Are some cyber insurance companies more knowledgeable than others?

Link copied

Are some cyber insurance companies more knowledgeable than others?

Not all carriers are created equal. This is where a good insurance agent comes in to play. Many carriers have a cyber insurance offering, but not all truly specialize in it. Some key things that you can look at on your policy to see if you have good coverage are:

• Full limits for Ransomware/Cyber Extortion with no coinsurance
• Full limits for Business Interruption
• At least $1M for Dependent Business Interruption

Can my cyber insurance policy be disqualified or terminated?

Link copied

Can my cyber insurance policy be disqualified or terminated?

Terms may vary from cyber insurer to cyber insurer. Organizations need to maintain the right controls in place. This is why holistic, cross-domain visibility of your entire security estate is important, which in practice, can look like:

• Ensuring all privileged accounts are identified and have appropriate MFA implemented, preferably phishing-resistant FIDO2.
• Assessing, adjust, and prevent excessive permissions for human and machine identities — and right-size access for all.
• Implementing robust privileged access security controls extend beyond the traditional perimeter, this includes for both employees and third-party vendors.
• Minimizing the threat surface via least privileged controls and removal of admin rights.

These protections are not a panacea, but should assist in thwarting many identity-based risks while ensuring your organization stays cyber-insurable. Additionally, if the insured party fails to maintain adequate security measures as required by the policy, or if there is a significant change in the risk profile of the business without proper notification, the insurer may terminate the policy. This is why it’s paramount for policyholders to comply with all policy requirements and to communicate any significant changes in their business operations to avoid termination.