Sadly, rising costs are a universal story in 2022. We see the signs of inflation everywhere. As a business, you must decide how much of the cost increases you absorb and how much you pass on to your customers. While many of the cost increases are unavoidable in this environment, there are some areas where you have more control than you might realize.
Standard business insurance policies, such as property, general liability, and workers compensation, have used risk control services to help reduce the frequency and severity of loss. Cyber insurance is newer and doesn’t quite have the same knowledge base yet, but that’s changing because with the rise of ransomware attacks that began to reach critical mass in 2019, claims have been rising. That means cyber insurance prices for businesses have been rising. Unlike traditional data breach attacks, the ransomware phenomenon has been more challenging because it’s not industry or size-specific and loss amounts are more unpredictable. A Fitch Ratings report says ransomware losses driven U.S. cyber loss ratios from 34% in 2018 to 73% in 2020.
This has forced insurers to not only raise rates, but also to limit coverage. For example, if a firm does not have multi-factor authentication (MFA) implemented, the insurer may refuse to cover certain types of attacks. Additionally, insurers are increasing their underwriting requirements. Insurers require extensive questionnaires to be completed prior to giving a quote. Instead of simple yes/no answers used in the past, these questionnaires now resemble security risk assessments and ask for specific details. Insurers may then require independent verification of key details and an assessment of network vulnerabilities before determining if insuring the firm is an acceptable risk.
One benefit of this increased scrutiny on the part of insurance companies is data. Insurers have valuable insights gathered from their claim statistics across industries and can provide information about the most exploited vulnerabilities. Insurers are also motivated to help their clients remediate issues and proactively adopt new security technology. If an insurance company wants you to implement a specific security procedure, there’s a lot of data behind that requirement.
Let’s review some of the questions taken from insurance questionnaires:
Companies may think that running a software as a service solution like Office 365 is secure enough. Many of the security settings, however, are optional. Here are some things insurers will want to know about your Office 365 implementation:
- Do you use the Office 365 Advanced Threat Protection add-on?
- Can users run MS Office Macros from documents on their system by default?
- Do you strictly enforce Sender Policy Framework (SPF) on incoming e-mails?
- Do you have the capability to automatically detonate and evaluate attachments in a sandbox prior to delivery to the end-user?
- Detail the amount of personal identifiable information (PII), personal health records (PHI) and/or payment card information (PCI) that is in your care, custody, and control.
- What precautions are taken to ensure PII, PHI, and PCI are secured from unauthorized access?
Data Backup and Recovery
- Please provide details of network segmentation and the ability to respond to an event/ransomware attack (backup/business continuity).
- Are backups stored offsite and offline to safeguard against compromise?
- Have you tested the successful restoration and recovery of key server configurations and data from backups in the last 6 months?
- Are you able to test the integrity of back-ups prior to restoration to be confident it is free from malware?
- Is there a formal vendor management or due-diligence program in place and monitored?
General Risk Assessments
- Has the organization tested its Incident Response Plan the following in the last 12 months?
- Has the organization tested its Denial-of-Service Business Continuity Plan the following in the last 12 months?
Keep in mind, this is just a small selection of the questions included in recent applications for cyber insurance. If you accept credit card payments, expect more questions about your compliance to Payment Card Industry Data Security Standards. If you’re in the medical field, be prepared to discuss how your firm complies with HIPPA. There are many other industries that have their own requirements, and insurers will want to know how well you comply before they cover you.
The good news is that you can limit rising cyber insurance costs. The more secure your IT infrastructure is, the lower your risk of incident, which translates into lower rates. Obviously, the worst situation is when the insurer refuses to cover your business at any cost. So, what can you do specifically to make sure insurance companies not only want to insure your business, but also want to give you their lowest rates?
As mentioned earlier, the insurance questionnaires are beginning to look more like security risk assessments, so the first thing to do is to run your own security risk assessment. Because the insurance companies work closely with the cyber security industry, the threats insurers and security experts care about will be the same. Security is a rapidly changing area, so a security risk assessment framework from 2019 won’t be barely relevant to the security situation we are in today. If you’re going to go through the effort and expense of a security risk assessment (which you should), make sure it’s up-to-date and focused on the threats insurers care about in 2022.
Once you’ve identified deficiencies, get security experts who are familiar with the latest solutions to help address those deficiencies. For example, implanting a multi-factor authentication solution on one or two applications may be easy, but implementing it across your entire infrastructure will be more challenging. Just like locking all the doors to your house while leaving the windows open won’t protect you much, securing some applications while leaving others as-is will attract the attention of both the insurance company and criminals.
Lastly, make security a mindset, not something you think about only when filling out insurance questionnaires. Every purchase of new hardware, new software, or new services should include an evaluation of the security risks these additions will increase or decrease. Securing your business is a never-ending quest, you’ll never fully get there. Your firm should always have a security to-do list and as soon as one project is complete, the focus should shift to the next project on the list.
If this sounds a bit overwhelming, it doesn’t have to be. At Clare Computer Solutions, we do this stuff every day. We can help you identify the areas for improvement that will not only thwart attackers, but also help reduce your insurance costs.
If you’re looking to improve your cost structure at the same time as your security infrastructure, give us a call.