Lowering Cyber Risk Insurance Costs

Lowering Cyber Risk Insurance Costs

Let Your Light Shine on Your Prevention/Remediation Efforts

Insurance against digital risk has become a common part of business protection coverage. As digital threats have grown, the practice of underwriting these risks has matured, but it has always been in search of more information to gauge the real cost of attacks.

General business liability and cyber insurance have been used to cover the losses from large ransomware payouts and data breaches. Coverage limits and underwriting experience has led to dramatic increases in the cost of insurance. This is driven by the increasing cost to recover from an incident. The global average for a data breach is $4.24 million. (IBM/Ponemon Institute. Cost of Data Breach Study. 2021)

Tips to Help Reduce Cyber Risk Insurance Costs
Your underwriter needs as much information as possible on the protections the business has in place.
  • Provide all compliance efforts you are required to meet. For example, if you take credit card payments, list the PCI (Payment Card Industry) level you meet and steps taken to be compliant.
    • Compliance frameworks (PCI, HIPAA, NIST CSF, CMMC, etc.)
    • Any new or renewed security certifications
    • Security cross-training for staff or security conference attendance
    • Updated annual security awareness training for all company personnel
    • System upgrades/migrations
      • Newer releases should have better security
      • Judiciously keeping up with version upgrades prevents having critical systems operating beyond their end of support, with no bug fixes or security updates available.
  • History of testing those defenses
    • Penetration Tests
    • Annual Incident Response (IR)/Disaster Recovery (DR) exercises
    • Simulated phishing attempts and training for company personnel
    • Audit results

Insurer Annual Review
Your insurer will send an annual review form to attest that data protections remain in place. This is a great time to take credit for improvements.
  • List upgrades and training for staff along with any testing performed. Testing can be internal such as a tabletop exercise that walks through the Incident Response plan with staff that would be involved in detecting and fixing security issues.
  • If there has been an incident severe enough to report to senior management, it likely is reportable in the annual review. This should be the high-level, executive summary portion of the internal report. If the insurer wants more detail, they will ask for the entire report. The focus should be on detection, remediation success, and what was done to protect against the issue in the future. Incidents will happen. Detecting, recovering, and preventing future attacks are signs of a mature security program.


Richard Wolford
Software Engineer


PA Cybersecurity Resource Center
The PA Cybersecurity Resource Center is financed by a grant from the Commonwealth of Pennsylvania, Department of Community and Economic Development.
Copyright © 2024 Concurrent Technologies Corporation. All rights reserved. Send comments & questions to the Webmaster.

We are an equal opportunity employer and all qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability status, protected veteran status, or any other characteristic protected by law.
CTC on Facebook    CTC on LinkedIn    CTC on YouTube