Let Your Light Shine on Your Prevention/Remediation Efforts
Insurance against digital risk has become a common part of business protection coverage.
As digital threats have grown, the practice of underwriting these risks has matured,
but it has always been in search of more information to gauge the real cost of attacks.
General business liability and cyber insurance have been used to cover the losses
from large ransomware payouts and data breaches. Coverage limits and underwriting
experience has led to dramatic increases in the cost of insurance. This is driven
by the increasing cost to recover from an incident. The global average for a data
breach is $4.24 million. (IBM/Ponemon Institute. Cost of Data Breach Study. 2021)
Tips to Help Reduce Cyber Risk Insurance Costs
Your underwriter needs as much information as possible on the protections the business
has in place.
- Provide all compliance efforts you are required to meet. For example, if you take
credit card payments, list the PCI (Payment Card Industry) level you meet and steps
taken to be compliant.
- Compliance frameworks (PCI, HIPAA, NIST CSF, CMMC, etc.)
- Any new or renewed security certifications
- Security cross-training for staff or security conference attendance
- Updated annual security awareness training for all company personnel
- System upgrades/migrations
- Newer releases should have better security
- Judiciously keeping up with version upgrades prevents having critical systems operating
beyond their end of support, with no bug fixes or security updates available.
- History of testing those defenses
- Penetration Tests
- Annual Incident Response (IR)/Disaster Recovery (DR) exercises
- Simulated phishing attempts and training for company personnel
- Audit results
Insurer Annual Review
Your insurer will send an annual review form to attest that data protections remain
in place. This is a great time to take credit for improvements.
- List upgrades and training for staff along with any testing performed. Testing can
be internal such as a tabletop exercise that walks through the Incident Response
plan with staff that would be involved in detecting and fixing security issues.
- If there has been an incident severe enough to report to senior management, it likely
is reportable in the annual review. This should be the high-level, executive summary
portion of the internal report. If the insurer wants more detail, they will ask
for the entire report. The focus should be on detection, remediation success, and
what was done to protect against the issue in the future. Incidents will happen.
Detecting, recovering, and preventing future attacks are signs of a mature security
program.