As cyberattacks grow in frequency and severity, the demand for cyber insurance is exploding in response. According to Fortune Business Insights, the 2021 cyber insurance market was valued at an estimated $7.60 billion in 2020 and projected to grow to $36.85 billion by 2028 — a CAGR of 25.3%. Zurich America estimated that by 2020, 78% of large organizations had purchased cyber insurance coverage of some type.
While insurance can help defray the costs of recovering compromised data and restoring damaged computers and storage devices, networks must be kept compliant with the terms of the policy. Otherwise, in the event of a cyberattack, your claim may be delayed or even denied. Keeping your environment in compliance can represent significant, ongoing costs to your organization — but the cost of neglecting compliance can be much higher.
What Is Cyber Insurance?
A cyber insurance policy (also referred to as ‘cyber risk insurance’ or ‘cyber liability insurance coverage’) is a financial product that enables businesses to transfer the costs involved with recovery from a cyber-related security breach or similar events. Typically, the most important aspect of cyber insurance will be network security coverage. This will offer coverage in the event of a network security failure – such as data breaches, malware, ransomware attacks, and business account and email compromises. However, the policy will also respond to liability claims and ancillary expenses of an attack or breach.
Coverage and Benefits
While cyber insurance coverage varies from provider to provider, typical policies cover organizations in five key areas:
Lost data. Companies are legally responsible for their data, whether stored locally, offsite, or in the cloud. And, if personal information (like protected health records) is exposed, companies may be liable. Cyber insurance typically covers the cost of recovering compromised data, notifying impacted customers, and may cover legal defense expenses.
Lost devices. Stolen or compromised laptops and mobile devices are a leading cause of compromised data. Many cyber insurance policies provide information liability coverage that covers the cost of device replacement, plus legal and other expenses.
Customer notification. The cost of notifying customers and impacted parties about a breach and ongoing remediation efforts can be significant. Cyber insurance can help compensate for the costs of legal counsel and specialized communications providers.
Investigation and forensics. Computer forensics experts help assess the extent of a cyberattack and determine whether sensitive data has been compromised. Cyber insurance may reimburse organizations for the cost of those expert services.
Miscellaneous expenses. Insurance may also help offset the cost of lost business, restoring compromised systems, and other expenses incurred during business restoration.
Tips to Ensure Compliance with Your
Cyber insurance is relatively new in the market, and many providers lack the historical data to accurately assess their risks. As a result, policies often require customers to maintain high security compliance standards to qualify for payouts in the event of a breach. Organizations relying on cyber insurance to compensate for inadequate security practices may be in for a shock when they make a claim, especially if they haven’t read the fine print in their cyber insurance contracts.
While the definition of compliance can vary from provider to provider, certain security best practice requirements are common to most policies and should be prioritized:
Third-party audits. An external security audit will help identify potential security issues and can help establish a detailed remediation plan.
Comprehensive backup and recovery plans. Effective backups are one of the best defenses against cyberattacks. Secure, regularly-tested, cloud-based backups will replicate data offsite and help minimize downtime resulting from a breach.
Regular penetration testing. Penetration testing (completed annually at a minimum) can also uncover security gaps while helping to reduce risk from the insurer’s perspective.
Effective password controls. Some policies will insist on adherence to password best practices as a policy condition. These best practices include using strong passwords (letters, numbers, and symbol combinations), different passwords for every service, and even two-factor identification.
Comprehensive data encryption. All sensitive data must be encrypted at rest or in transit. Data access (physical or online) should be highly regulated.
Beyond Compliance: Expert Tips
While your policy will help define your cybersecurity priorities, here are two other steps you can take to strengthen your security infrastructure and minimize any issues if you need to make a claim.
Security training. Onboarding training for new hires and regular refreshers for existing employees will reinforce your organization’s security practices, create a ‘security-first’ culture, and help minimize unintentional breaches and exposure.
Collaborate with your insurance provider. A regular dialogue with your insurer allows you to communicate your ongoing security initiatives, identify and resolve any issues, and explore ways to enhance your coverage and optimize your insurance costs.
The Value of an Expert Security Partner
A security-focused integrator can help optimize your organization’s security infrastructure and best practices to ensure you’re compliant with the terms of your cyber insurance policy.
At Path Forward IT, we’re experts in security and compliance. For years we’ve helped healthcare leaders meet stringent HIPAA, HITECH, and CMS requirements, and we bring the same knowledge and expertise to our customers in finance, education, and other industries.
Path Forward IT can work with your team to ensure cyber insurance policy compliance by conducting third-party audits and penetration testing, identifying and remediating security gaps, implementing operational best practices, and providing ongoing security training.
Contact us to learn how we can help you ensure compliance with your cyber insurance policy.