4 Steps to Strengthen Your Cyber Insurance Strategy

The years since the start of the COVID-19 pandemic and the pivot to remote work have been busy times for cybercriminals, who’ve taken advantage of the upheaval. S&P Global has noted ransomware attacks increased by 232% between 2019 and 2021[1] and climbed another 25% in 2022.[2] 

These statistics are reflected in the cost of cyber insurance. Premiums nearly doubled from 2020 to 2021. The Wall Street Journal recently reported that the market has begun to stabilize,[3] but that’s only relative. The insurer Marsh reported that cyber insurance prices rose 48% in the U.S. in the third quarter of 2022, down from 79% in the second quarter.[4]

Additionally, insurers have set a higher bar for policyholders to demonstrate that their risk management practices are up to par, and they are cutting back on what they’ll cover. For instance, Lloyd’s of London recently dropped coverage of cyberattacks by state-sponsored actors from its policies.[5] 

In our State of Ransomware Readiness 2022 survey, about one-third of respondents said their companies are insured, and about the same number said their companies need cyber insurance. Companies’ security strategies are designed to provide the brakes that allow them to go fast and innovate, within reasonable cyber risk parameters. One way to balance this tension is by purchasing cyber insurance policies to cover expenses such as incident response, crisis communications, and forensic investigations. 

As security professionals, we aim to prevent any attack, but in the end, it comes down to a cost/benefit analysis. Applying best practices can help manage the current environment and maintain optimum cyber coverage while holding down costs. We covered many of these practices in our recent webinar, “Strengthen Your Cybersecurity Insurance Strategy with Mimecast,” which you can watch on-demand. Takeaways from the webinar are summarized below.

Understand Your Risk Profile

Many factors will affect your risk levels: Which industry are you in? Which targets in your sector are on attackers’ radar? How much sensitive data do you have, and what would it be worth on the Dark Web?

Business impact assessments, threat intelligence, and risk analysis are all useful tools to understand the position you’re in and articulate it to stakeholders. Your understanding of risk may differ from your insurance provider’s, so maintaining a strong relationship with your insurer and your finance and legal teams will avoid surprises.

Reduce Your Attack Surface

It’s just good practice to limit your cyber exposure. So, implementing and maintaining good security controls is about practicing good hygiene throughout the year, not acting heroically when it’s time to renew your policy.

Ask yourself: Is there something exposed externally that shouldn’t be? Having good IP and subnet mapping can ensure that your insurance isn’t affected by assets you don’t even know you have. In addition, tools such as domain-based message authentication, reporting, and conformance (DMARC) guard against email spoofing, a significant risk that insurance providers zero in. Other helpful practices include employee awareness training, consistent patching, and segmenting guest Wi-Fi traffic from your company network to prevent malware infections. Look at it all from an insurer’s perspective: Why would they give you the protection of a policy if your company won’t take such basic steps? 

Companies with more mature security structures can find breach attack simulation tools helpful. These can mimic different types of attacks through your defense stack to make sure you can detect and block them. This exercise not only improves your defenses, but it enables you to tell a good story to your insurer about your proactive efforts.

Maximize Your Security Controls

Use the levers you have to reduce the frequency and severity of attacks, such as data encryption, backups, and least privilege access. Additionally, leverage APIs and ecosystems to connect your tools for greater efficacy. Mimecast has over 200 integrations that can, for example, take threat intelligence all the way from email systems through your endpoints. That kind of approach also lets you tell a good story both to your internal stakeholders and your insurer.

Some tools may have become rote in your everyday activities; we often refer to “alert fatigue” affecting email security. But upgrading some of those efforts, for example, by using banner notifications to alert of suspicious emails, can refresh and upgrade their effect. Bannering can also give employees options to respond to a warning — reporting an email or marking it safe, for instance. This, in turn, can help machine learning improve your screening for malicious emails.

Put Your Best Foot Forward

Focus on things within your control that can produce material impact on your risk profile. Tabletop exercises can teach you how to respond effectively across the scope of stakeholders who will be involved if attacked, enabling everyone to make decisions quickly and in alignment with business requirements. Running simulations of different incidents is a great way to test yourself and your team. The U.S. Cybersecurity and Infrastructure Security Agency[6] and the U.K. National Cyber Security Centre[7] both provide tabletop exercise templates.

These preparations also help you tell a convincing story to insurers. They let you show that you have a resilient risk management program and can deliver the kind of high-quality security necessary against the quantity of alerts you are facing in a consistent manner. Insurance providers are looking for something more than anecdotal evidence of your cyber risk management, so any evidence of people, process, and technology measures that can be quantified is a plus. 

The Bottom Line

Insurance providers are not in the business of losing money, so their terms have been tightening amid rising cyberattacks, with higher premiums and decreased coverage. By identifying and reducing risk, securing your network for all users (including customers and suppliers), and telling a good story to your insurance company, your company can look to get better insurance coverage at a more affordable rate. For more, tune in to our on-demand webinar, “Strengthen Your Cybersecurity Insurance Strategy with Mimecast.”

[1] “Cyber Risk in a New Era: The Rocky Road to a Mature Cyber Insurance Market,” S&P Global Ratings

[2] “Cyber Trends and Credit Risks,” S&P Global

[3] “Hot Market for Cyber Insurance Begins to Stabilize,” Wall Street Journal

[4] “US Pricing Q3 2022,” Marsh

[5] “Lloyd’s Cyber Insurance Tweaks Stir Coverage Restriction Concern,” Bloomberg Law

[6] “CISA Tabletop Exercise Packages,” Cybersecurity and Infrastructure Security Agency

[7] “Exercise in a Box,” National Cyber Security Centre