Can we mitigate business risk with cybersecurity insurance?

More and more CEOs name cyber risk as a top threat to their business in 2022, contributing to growing demand for cyber insurance. However, the flurry of demand created unintended consequences where companies were getting insured based on very few questions from insurers who, in turn, were overwhelmed by claims from attacks. This has resulted in a fluid and contentious environment as insurers began fighting back where they now will:

• Not insure at all;
• Charge inflated premiums; and/or
• Ask very specific questions where “wrong” answers result in outright rejection.

Insurers are continuously changing cyber underwriting requirements and apparently not subscribing to any published frameworks, resulting in regulated customers, who may be following their own guidelines (e.g.: HIPAA), not being assured of qualification as insurers present different criteria. Furthermore, insurers’ criteria are changing from year-to-year, becoming stricter and more rigorous, creating a moving target for SMBs.

How do we protect our businesses in this environment?
Begin by recognizing that cyber insurance offers a limited, very specific solution: to mitigate the expense of recovering from a breach. While it may provide funds needed for recovery, IT DOES NOT PREVENT ANYTHING. And it certainly doesn’t eliminate any of the pain, downtime, and effort in recovering data or restoring systems associated with a cyber breach.

It is more important than ever to keep from being attacked and doing what we can to lessen the recovery cost. Take stock of your internal policies and procedures to assess your level of self-reliance.

(a) What are we doing to check our environment to make sure we are as protected as well as we can be on our own?
(b) What are we doing to lessen the burden of recovery from such an incident on our own? Then, become familiar with the insurer’s qualifications list or application and check against your current cybersecurity situation. Examples of common/general- purpose frameworks that align well with insurer requirements include NIST 800-53 and CIS Common Security Controls.

Performing a gap analysis against a common framework can provide a maturity profile for your own use, as well as that of the insurer. The extra protective steps you take in this process can also reduce expenses for other coverage, such as business interruption insurance.

Ransoms: To pay or not to pay?
If you dismiss the threat of cyberattacks because you’re willing to pay any ransom required, consider this: paying may not be an option if the ransomer has been placed under sanctions by the federal government. The U.S. Treasury has strongly discouraged paying ransoms and hinted at enforcement against ramsomware victims who remit payment to such “Specially Designated
Nationals.”

On the other hand, if you believe that you can recover your operations without paying ransoms, consider that if you don’t pay, hackers have begun threatening to sell ransomed data on the dark web as an additional coercion to pay. Either way, it makes for a strong case to avoid cyberattacks in the first place.

Treat cybersecurity as a business risk
Cyber insurance, like other kinds of business insurance, depends on your unique circumstances. Make sure you know how much insurance you need. If you’re a small SMB, you probably don’t need that much — unless you have sensitive customer data. If you have sensitive data on individual people, you will have restitution costs as any breach will fall under various state’s breach notification laws, requiring legal counsel and greatly increasing the cost of response and recovery. Additionally, a critical assessment of the extent to which your business depends on technology and the risk of losing revenue and operations due to unavailable systems puts the whole matter in better perspective.

In any case, cybersecurity is best treated as a business risk with governance designed to avoid attacks and lessen recovery costs, always diligent in the checking and protecting of one’s environment.

Editor’s note: Sara Christie is a security customer relationship manager with Mainstream Technologies. The opinions expressed are those of the author.