Keeping Up with Cybersecurity Insurance Policies

For SMEs cybersecurity insurance is still a relatively new idea. It was initially introduced in the 1990s to cover large enterprises against things like data processing errors and online media.

Over time, the policies for cybersecurity coverage have changed, and now they can cover the typical costs of a data breach, including remediating a malware infection or compromised account. Other costs typically covered by cybersecurity insurance include:

  • Recovering compromised data
  • IT forensics to investigate the breach
  • Legal expenses
  • Ransomware payments

It is anticipated that data breaches will continue to increase in both volume and cost throughout 2023.

Many small businesses make the mistake of thinking they aren’t big enough to be targeted by cybercriminals. However, cybercriminals often view these small businesses as easy targets, and often a small business will have more to lose. Roughly 60% of SMEs close within 6 months of a cyber incident.

The increase in cybersecurity risks, and the rising costs of a breach, have led to changes in the cybersecurity insurance market. Much like cybersecurity threats, cybersecurity insurance is constantly evolving and it’s important to keep up with these trends, so you can stay protected.

Here are the current cybersecurity insurance trends you need to be aware of:

Demand is increasing.

The average global cost of a data breach is currently $4.35 million, and this is a cost that is continuing to rise. As these costs rise, so does the demand for insurance.

Higher demand for cybersecurity insurance will lead to more availability, and more policy options, which is good for anyone seeking coverage.

Premiums are increasing.

An increase in cyberattacks means an increase in insurance payouts. To keep up with this insurance companies are increasing their premiums.

The costs from ransomware demands, lawsuits and other remediation work have driven this increase.

Certain types of coverage are being dropped.

Certain types of cybersecurity coverage are getting harder to find. Some insurance providers are dropping coverage for “nation-state” attacks, which are attacks that come from a government.

Another type of coverage being dropped from some policies is ransomware. Insurers no longer want unsecure clients to rely on them to cover ransomware demands, so many are excluding it from their policies. This puts a bigger burden on businesses that need to ensure their backup and recovery strategies are well-planned.

It’s getting harder to qualify.

Qualifications for cybersecurity are getting stiffer because insurance providers are less willing to take chances. There are a number of factors insurers will take into account to determine if you qualify for insurance, including:

  • Network Security – these are the practices and technologies you use to protect your company network from unauthorized access. This includes firewalls, encryption and other secure protocols to protect data in transit and data at rest. Network security also covers monitoring activity to detect and respond to security incidents and vulnerabilities.
  • Use of Multi-Factor Authentication (MFA) – Multi-factor authentication is used to increase the security of the authentication process and make it more difficult for unauthorized users to gain access to a system or data. MFA is typically made up of something a user knows, such as a password, and something they have, such as an access token on their smartphone, which is protected by either a pin number or biometric security such as a fingerprint.
  • Bring Your Own Device and Device Security Policies – Many companies nowadays have bring-your-own-device policies that allow employees to use their personal devices, such as laptops, smartphones or tablets, for work purposes. Most companies with bring-your-own-device policies will also have security measures such as mobile device management, data encryption and device-level security in place.
  • Advanced Threat Protection – Security solutions that use multiple technologies and techniques to detect, analyse and respond to cyber threats. The main goal of advanced threat protection is to detect and respond to threats that can bypass traditional security protocols such as firewalls and anti-virus software.
  • Automated Security Processes – Many security-related, such as vulnerability management, incident response and compliance checking can be completely automated.
  • Backup and Recovery Strategy – If the worst should happen, how quickly can you get back up and running? Having a robust backup and recovery strategy in place means you can get back up and running quickly, with minimal data loss and disruption.
  • Administrative Access to Systems – Administrative access is typically given to small groups of users such as system administrators or IT staff who are responsible for maintaining the security and integrity of the systems.
  • Anti-phishing Tactics – These are methods used to protect businesses and individuals from phishing attacks. This could include user training, email filtering, multi-factor authentication, URL and link scanning and regular security assessments.
  • Employee Security Training – Do your users know how to identify a suspicious link or email? Human error is a leading cause of security breaches, so it is important to make sure your users know what to look out for.

When applying for cybersecurity you may have to fill out a lengthy questionnaire that includes questions on your current cybersecurity situation, and the measures you have in place. It may seem like you have to put in a lot of effort to qualify for cybersecurity insurance,