What Companies should consider BEFORE buying
Cyberattacks have risen by more than 300% since 2019 and experts predict that cybercrime will only increase in frequency and severity as attackers get smarter, more sophisticated, and more organized. Recent news has focused on larger companies – including those with government ties, which is of particular concern. But it’s important to note that attackers don’t care how big you are, or where you are. With increased remote workforces accessing company valuables via personal devices, cybercriminals are finding more targets in the home. This means your personal life could be affected too.
Moving on to the defensive, companies are looking to protect themselves with cyber insurance. But many say it isn’t enough to protect you. Is it even worth buying at all?
To begin with, the factors that cyber insurance companies look at to determine your rate are simply your risk factors. You can find a discounted rate and come out better off in the event of an attack by minimizing your cybersecurity risk. But, with the right tools and methods to mitigate risk, you may not need cyber insurance at all!
While the assumption is that cyber insurance will protect companies in the event of an attack, word has it they’re not paying most of the time. Much like healthcare insurers, your rate will depend on your “pre-existing conditions”. For cybersecurity, this means that having the proper security protocols in place is critical.
Like any company, cyber insurance providers are out to make a profit, so they’ll try to find ways to deny your claim and continue to collect premiums. And a lot of complicated language and hidden fine print can easily confuse the less savvy buyer – causing them to make grave mistakes.
Why are cyber insurers NOT paying, and what can companies do to better protect themselves?
1. Weak Security Practices
The number one reason for security breaches is human error. It’s usually a leaked password (81% of the time it’s credential theft) or some other human mistake. … Insurance won’t pay if the incident could have been easily prevented. Proper security regulations and practices must be in place, and staff must be trained to adhere to them.
2. Insufficient Documentation
Because insurance companies want to avoid payout on claims, they’re not simply going to take your word that you were doing the right things at the time of an incident. You’ll need evidence that shows your company did everything in its power to comply with security regulations. Third-party tools can automate and streamline this often-tedious process, collecting all the required screenshots, data, and documents required.
3. Blaming Someone Else
Putting the blame on contractors for a security event is not uncommon, but insurance companies will deny a claim that involves third parties. Instead, you’ll need to take any issues up with the vendor in question.
Regular assessments should be carried out to spot potential problems before there’s an incident. Proper tools for tracking and assessment can be put into place to make this easier.
4. Faulty Or Missing Documentation
It’s not enough to prepare in defense of cyber incidents if your documentation is incorrect or incomplete.
It’s a good idea to look at employing compliance software tools and solutions that can document every step and detail leading up to an event and help ensure that your “case” for the insurance company is solid.
5. Limited Timelines
Take care to read the fine print when it comes to the period for which you are covered. Many insurance plans will limit coverage during any interruption of service caused by an event. Not understanding how it works could cost millions.
You’ll need to do some research on what is realistic for recovery time for various incidents and ensure you’re getting adequate coverage.
How You Can Get Better Cyber Insurance Rates
Despite the grim picture, there is a way forward, and it doesn’t have to be the enormous expense you might think! With the right preventative measures and documentation, companies can vastly improve their chances of receiving payment after an incident.
Here is our list of top recommended cybersecurity measures:
- Install firewalls, not VPNs. (TraitWare provides Zero Trust access versus a VPN.)
- Set up email spam filters
- Install antivirus software
- Limit employee account privileges
- Set up MFA and authenticator tokens
- If you must use passwords, be sure they are complex and change periodically
- Use a password manager or “Vault” such as Keeper
- Regularly back up all data – offsite or cloud
- Initiate employee cybersecurity training
- Automatically push software updates
- Use VDIs for employees on personal computers (Citrix, Azure VMware) and TraitWare for Zero Trust access control
With all of that, some experts assert that Cyber insurance is a waste of your company budget! Why?
First, and perhaps most importantly, Cyber insurance won’t prevent cyber-attacks. Period. You’re really only protected if you already have proper controls in place. AND if you don’t have sufficient “Cyber Defense” the insurer will consider you high risk, so you’ll be paying a high premium too. Many argue that companies should spend those funds to improve security measures instead of buying coverage.
Another point to consider is that Cyber Insurance is still a relatively young space, which means under-experienced insurers. Of course, use caution when choosing a provider, but also consider what security measures they have in place. Many are wary of the wealth of sensitive information they collect on clients. Poor security practices can mean exposure of your critical company data.
Bottom Line? Before you jump on the cyber insurance train, remember that the best “insurance” is your own cybersecurity posture. Start with real multi-factor authentication (MFA) for access to all your company valuables. Whether or not you decide to get additional coverage, put the right tools in place now.
If you need expert help navigating today’s tough cyber insurance landscape, find out more about TraitWare+Brightline Insurance for better security, insurance, and clarity.