What You Don’t Know About Cyber Insurance Can Cost You

By: | May 2, 2022

Dave Sampson is the vice president of consulting services for Thrive. He can be reached at [email protected].

Many companies that have purchased cybersecurity insurance have learned a tough lesson in the last few years — insurers will not renew policies or pay claims unless the policyholder follows guidelines of what’s required to protect a company’s computer network and data from attacks.

According to a Harvard Business Review article in 2021, companies with at least $200 million in cyber insurance account for a bit more than 20% of what is believed to be $5 billion in global cyber insurance premiums, according to internal research conducted by PCS — amounting to roughly $1.1 billion in premium.

With around 250 companies buying at least $200 million in protection, it would only take five insured losses around that amount to wipe out an entire year’s premium.

A misconception about purchasing cybersecurity insurance is that receiving a claim payment when an intrusion occurs will enable a quick, painless return to business as usual.

Unfortunately, a cybersecurity insurance plan on its own does not exclude the need for network defense tools, employee education modules and documented recovery plans.

Businesses have to meet certain contingencies to say they’ve done all they could to protect themselves from cyber-based crimes before they’re eligible for a claim disbursement.

Those that issue cybersecurity policies have had to pay out a lot of money in recent years, with one cybersecurity insurance specialist stating they processed more claims in the first half of 2021 than any other time period. This is not sustainable.

As an example, people who have homeowner’s insurance understand they may have to perform preventative maintenance to receive a claim for any damages that may happen.

For instance, an insurer might forewarn a policyholder that their property requires upgrades to its electrical system – and if an electrical fire happens, the insurer will halt a payout of claims as the policyholder did not make the necessary upgrades or pull the right permits to show they were made. This is no different with cybersecurity insurance as enterprises have to meet certain contingencies to prove they’ve done all that was possible for protection from cybersecurity attacks.

Similar to a burglar alarm to deter a criminal from entering a property and stealing valuable possessions, it is important for companies to take responsibility for their own protection through firewalls and antivirus protection

In essence, insurance companies want businesses to reduce their attack surface and do all they can to reduce their vulnerabilities and mitigate potential cyberattacks.

Insurers want companies to implement such measures that include email protection, employee training, NextGen antivirus protection and multi-factor or two-factor authentication.

Enterprises oftentimes must put in place multiple layers of protection to prevent a malicious email from reaching an end-user, as an estimated staggering 96% of cybercrimes happen via a phishing attack generated via email.

Another measure often required is frequent training for employees to help identify possible cyberattacks such as phishing scams — especially if there is a history of malicious emails breaching the organization’s firewall.

Enterprises using older antivirus protections should also understand that this software relies on established databases of known threats that are sometimes out of date and therefore ineffective against emerging threats.

Also, utilizing this traditional software requires any endpoint user to make frequent required updates so they are referencing the most current data. Hackers and those who write malware are aware of this severe lag and are already steps ahead and will attack when they’re able.

Enterprises need NextGen antivirus software that offers real-time protection and greater intelligence when scanning for malware.

This modern antivirus protection monitors traffic 24/7 for faster and more accurate detection of any potential threat, rather than waiting for scheduled scans that uncover attacks after they’ve occurred.

NextGen antivirus protection catches attacks as they are attempted as opposed to the archaic way of reviewing files and traffic to identify if something suspicious happened in the past.

Cybersecurity insurance providers also understand that common phishing attacks require someone to give up their unique password, which is more common than one might realize.

Enterprises must have a multi-factor or two-factor authentication (MFA and 2FA respectively) in place to have significantly increased protection over valuable data due to the added layer of authentication needed for login.

If the attacker obtains a password due to their malicious actions, the enablement of 2FA and MFA will not give them the extra code or token needed to move forward and successfully breach the account.

To fully realize the benefits of a cybersecurity insurance policy, it’s imperative to plug every potential hole that will increase the likelihood of a successful cybersecurity attack. Being aware of potential breaches and having best practices in place must be a priority for every individual at a company.

A committed IT team should help meet the standards required of a cybersecurity insurance policy and deploy preventative measures needed to stay in compliance and protect the organization from attacks before they happen. &

More from Risk & Insurance