You Need Cyber Insurance—But Before You Apply, Read This!

You know you need cyber insurance. Before you can get it, there are certain steps you have to take to qualify. 

Cyber insurance is one of the most important means of protection for your business.

It offers additional legal and financial safety in case criminals attack. However, cyber insurance is incredibly difficult to get, unlike car and home insurance. Your application for a policy won’t be reviewed if you haven’t taken concrete steps to become “cyber compliant.” Fortunately, taking measures can bolster your security defenses, as well as smooth the path to financially protecting your business. 

What is Cyber Insurance? 

Cyber insurance policies help protect you legally and financially in case of a breach or attack. For example, you might seek liability coverage for your business if a client’s personal information is leaked. Or you might seek a financial bail-out if your company experiences a ransomware attack and you have to pay to retrieve stolen data. 

Why do companies need Cyber Insurance? 

From malware to phishing scams, cyber threats are a reality for businesses of all sizes and across all industries. 

Here are three main reasons companies need cyber insurance ASAP: 

  1. Ransomware risk is increasing. 
    • In 2020, the average ransom payment made by a company to an attacker was $300k. That’s a lot—but so far in 2022, it’s $925,162. According to the 2022 DBIR, ransomware attacks are also up by 13%, more than in the last five years combined. As attackers continue producing more sophisticated malware, there is a heightened risk for businesses of all kinds. 
    • There is a specific risk for businesses with email servers—which is practically all of them—as emails are a plentiful source of personal data, credentials, and financial information. In 2020, about 65% of organizations suffered a business email compromise. In 2021, that number increased to 77%. These majority numbers can’t be ignored. 
  2. Companies don’t have adequate cyber hygiene.
    • In addition to the increase in ransomware breaches, the 2022 DBIR also revealed that 82% of cyber breaches involved human error, including social attacks, errors, and misuse. This finding indicates a dramatic need for businesses to address human error from within. 
    • Since 2020, changes in the remote workforce have also triggered poor security practices. As the world rushed to establish work-from-home setups, we neglected security; many users still use personal devices on unsecured home networks—a gaping vulnerability. (PS: if that’s sounding familiar, get some more tips here.)
  3. The stakes are getting higher. 
    • While the financial impact of a ransomware attack is bad enough on its own, the chain reaction of events is even worse than most businesses realize. A cyber-attack can interrupt business completely, leading to lost sales, downtime, inability to accept payments, or having to pay employees and third parties for assistance getting things back up and running again. Business interruption expenses can be enormous, so the last thing you’d want on top of an attack would be the reputational damage and lack of trust that often occur once an enterprise has suffered an attack. 

Why is it difficult to get Cyber Insurance? 

Despite these ongoing and nerve-wracking threats, only 23% of businesses surveyed reported having an “incident response plan,” which is a way organizations can demonstrate their preparedness for cyberattacks. If an organization hasn’t shown any engagement in defending itself from threats, a cyber insurance company isn’t likely to view them positively. 

The statistic above reveals a bigger problem that’s making it challenging even to get a cyber insurance policy in the first place. Due to the rising costs and risks related to cybercrime, insurance companies are tightening their requirements for application and renewals, and they’re increasing premiums, too—especially for companies who haven’t made a particular attempt to solidify their cybersecurity on their own. They’re taking a stance on company responsibility and insisting on compliance. 

So… What should companies do? 

It might sound like an uphill battle, but there are ways your business can build plans to meet the criteria so you can get cyber insurance soon or down the line. It’s strongly recommended companies get a cyber insurance assessment by a qualified company before making an initial application to save time and money. An assessment will help you identify and remediate gaps in your existing cybersecurity stance so that once you apply, you stand a much higher chance of success. 

 How can companies become compliant? 

An assessment will examine twelve key areas for initial cyber compliance. One through five are absolute must-haves, and seven through twelve will hugely boost your security posture (and chances of getting insurance). 

The top five compliance categories:

  1. Employ mandatory multifactor authentication (MFA) for remote access and for administrator/privileged controls. 
  2. Require endpoint detection and response (EDR).
  3. Backup data and networks securely and encrypt the backed-up data.
  4. Engage in Privileged Access Management (PAM) to lock down important accounts. 
  5. Use Email filtering and web security to reduce phishing scams. 

Strongly recommended categories (these are great additional protection for your business, but they also increase the likelihood of being insured!): 

  1. Use patch management and vulnerability management to secure software. 
  2. Cyber incident response planning and testing (do this proactively). 
  3. Plan for regular cybersecurity awareness training and phishing testing on an ongoing basis. 
  4. Employ hardening techniques, including remote desktop protocol (RDP). 
  5. Have thorough logging and monitoring/network protections in place. 
  6. Replace or protect end-of-life systems.
  7. Lock down vendor/digital supply chain risk management.

If it sounds like a lot, just a tip: it’s not worth applying before taking these steps just to see if you get lucky. If you’re denied (which is likely), even if you address the issues that cause your rejection, the initial denial will follow you, like points on your license. Finding a company to insure you for a reasonable price will become even more difficult. 

In addition, if you already have cyber insurance, remember that renewal isn’t guaranteed—underwriting standards continually shift. 

But here’s the good news: Stratti’s got your back.

Not only can Stratti help you identify which aspects of your company’s security posture to strengthen, but we can also assist you in becoming fully compliant, with the end goal of getting your fully insured. 

We stand beside you with every step, so no matter where you’re starting from, you’re safe in Stratti’s care. We’ve worked with many cyber insurance companies over the 25+ years we’ve been in business, and we’ve helped many clients through the cyber insurance application process.

Start here!