I wrote previously about how cyber insurance can be a useful addition to your risk management program.
Unlike more established insurance products, cyber doesn’t have the same amount of historical data, so approaches to underwriting this risk can vary. Models to quantify it usually rely on a number of high-level factors (the industry your organisation is in, geography, applicable regulation, annual revenue, number of customers and employees, etc.) and questions aimed at evaluating your security capabilities.
You are usually asked to complete a self-assessment questionnaire to help the underwriter quantify the risk and come up with an appropriate policy. Make sure the responses you provide are accurate as discrepancies in the answers can invalidate the policy. It’s also a good idea to involve your Legal team to review the wording.
While you can’t do much about the wider organisational factors, you could potentially reduce the premium, if you are able to demonstrate the level of security hygiene in your company that correlates with risk reduction.
To achieve this, consider implementing measures aimed at mitigating some of the more costly cyber risks. What can you do to prevent and recover from a ransomware attack, for example? Developing and testing business continuity and disaster recovery plans, enabling multi factor authentication, patching your systems and training your staff all make good sense from the security perspective. They can also save your business money when it comes to buying cyber insurance.
If possible, offer to take the underwriter through your security measures in more detail and play around with excess and deductibles. Additionally, higher cover limits will also mean higher premiums and these are not always necessary. Know what drives your business to get cyber cover in the first place. Perhaps, your organisation can’t afford to hire a full time incident response manager to coordinate the activities in the event of a breach or manage internal and external communication. These are often included in cyber insurance products, so taking advantage of them doesn’t necessarily mean you need to pay for a high limit. While it is tempting to seek insurance against theft of funds and compensation for business interruption, these can drive the premium up significantly.
It’s worth balancing the cost of the insurance with the opportunity cost of investing this sum in improving cyber security posture. You might not be able to hire additional security staff but you may be able to formulate a crisis communication plan, including various notification templates and better prepare with an incident simulation exercise, if you haven’t already. These are not mutually exclusive, however, and best used in conjunction.
Remember, risk ownership cannot be transferred: cyber insurance is not a substitute for security controls, so even the best cover should be treated as an emergency recovery measure.