Strengthening Your Cybersecurity: A Surefire Way to Save on Cyber Insurance Premiums

If you have ever shopped for cybersecurity insurance, you know that insurance costs depend on a number of factors including the size of your business, number of employees, your industry, and the type of data stored. Another perhaps more significant factor is your current cybersecurity posture, an increasingly objective measure of your susceptibility to malware, phishing, social engineering, or service interruption.

To obtain cyber insurance, you are required to implement specific cybersecurity strategies, but it is advised to take a few additional precautions and build your own security program to lower your premiums. Insurers have their own requirements, which these days lean heavily towards a strong cybersecurity posture. While these days it should go without saying, having a strong security program in place will save you thousands.

What Affects Cyber Insurance Costs?

Any business with digital assets should look into cyber insurance, especially if you have an online presence, developer interfaces that connect to your internal data (e.g., an API), provide online services that store sensitive information, or allow payments to be made over the internet. Even if you think your current cybersecurity controls are water-tight, the human element leaves your organization open to vulnerabilities including social engineering, malware, ransomware, and phishing attacks. Therefore no environment is 100% risk-free, so cyber insurance will help alleviate the costs of incident response, disaster recovery, litigation, public relations, notifications to customers, and the loss of income from brand damage.

Just like car insurance, several factors go into the cost of your insurance, some of which can be managed. If you have been the victim of a data breach prior to getting a cyber insurance policy, you will probably pay more than a company with a clean history, but this is not the only decision point for calculating costs. Other key factors include:

• Your industry and the size of your organization: Human error is one of the biggest risk factors that affects your cybersecurity posture, so the number of people employed at your business is a factor in insurance pricing.
• Type of data you store: Some businesses store very little customer information such as simple contact information, but others store patient data or financial data along with personally identifiable information (PII). The latter businesses will have higher premiums because of the type of data they collect. The amount of sensitive data accumulated also affects insurance costs, because a data breach will subsequently affect several more people and could lead to litigation.
• Annual revenue: Because cyber insurance covers loss of revenue, an organization's annual revenue factors into costs.
• Insurer policies: Deductibles and coverage limits affect costs, but talk to your provider to determine the best choices for your business and budget that offers enough coverage to keep costs low without risking business continuity.
• Current security controls: Every organization has their own security strategies, risk management, and cybersecurity posture. Good cybersecurity controls reduce insurance costs and should be reviewed before you shop for providers.

How to Reduce Cyber Insurance Costs?

While you might not be able to control each of these factors, you can at least make a significant dent in your premiums by applying common cybersecurity best practices. In general, these practices take a proactive rather than reactive approach to cybersecurity. For example, having good access control policies limit damage from a data breach should an employee fall for a phishing attack and disclose their credentials. Having an incident response plan in place is also valuable, but ideally you want strategies that can actively stop a threat from becoming a compromise.

Here are a few lightweight methods you can add to your security program in the near-term to lower cyber insurance costs:

• Implement multi-factor authentication (MFA): Phishing threats are the primary strategy for attackers to steal credentials from employees. Security Magazine reports that 26% of employees fall for phishing emails.¹ Even with stolen credentials, MFA adds a layer of security requiring additional exploits from threat actors before they can steal data.
• Add cybersecurity awareness training to corporate policy requirements: Security awareness training educates employees on the dangers of email-based attacks, social engineering, physical threats (e.g., tailgating), and safeguarding data while working from home or traveling. When employees are better equipped to identify threats, they are less likely to fall for common threats.
• Monitor your environment: An Intrusion Detection System (IDS) actively monitors your data and alerts administrators when anomalous traffic is detected, and an Intrusion Prevention System (IPS) actively stops and contains threats. Both systems are important in proactively stopping threats before they become a critical incident.
• Have a backup plan: Backups are necessary for business continuity and recovery after a ransomware attack. Without backups, your organization could be asked to pay up to $13.2 million to get your data back, and recovery is not guaranteed if you pay the ransom.² Backups are the single best way to recover without paying the ransom in the event of this extremely damaging malware.
• Create an incident response plan: Knowing what to do when systems are compromised reduces the time for recovery and speeds up containment of the threat. An incident response plan lays out what to do after a threat is discovered and improves efficiency of containment so that administrators can limit damage from a compromise.
• Install email filters: Email filters analyze incoming messages, detect phishing, and quarantine them so that administrators can further review message content.

Cybersecurity Programs Save Thousands But Must Be Done Right

Not every organization has the capacity for an in-house security team that can spend time developing a good cybersecurity program. Your program needs policies for employees to follow, training, mitigation strategies, discovery methods (e.g., monitoring and analysis), access controls, employee onboarding and offboarding policies, at-home employment security, incident response, disaster recovery, investigation steps, and much more necessary to limit damage to your organization. Ultimately, the more effective your security program, the more discounts you will get on your cyber insurance policy.

To find out how Access Point can help you build and improve your cybersecurity program, meet with a subject matter expert today.

Sources

¹ https://www.securitymagazine.com/articles/97321-1-in-4-employees-who-fell-victim-to-cyberattacks-lost-their-jobs

² https://www.securityinfowatch.com/cybersecurity/article/21292765/ransomware-attacks-declined-in-22-but-more-records-being-compromised