The chief strategist with Sevco Securitysecurity industry entrepreneur, board consultant, investor and author.
Between the constant attack from costly ransomware and other attacks, cyber security is more important than ever for businesses. A company can implement appropriate security controls and meet regulatory mandates, but breaches still happen—and when they do, cybersecurity can be a vital tool in helping a business recover quickly. However, it also becomes more expensive, complicated and difficult to obtain.
According to Fitch Ratings, cyber security is the the fastest growing segment of the US property/casualty insurance market. However, claims and payouts have soared along with this growth, giving insurers a reason to be stricter about what they expect from policyholders.
Between 2018 and 2021, Fitch found a 100% increase in the number of cyber insurance claims submitted by policyholders and a 200% increase in the number of claims paid by insurers. Although the cost of cyber insurance premiums has decreased somewhat, it is still rising. According to the insurance broker Elosthere was an 11% increase in average cyber insurance prices in the first quarter of 2023 after a 28% jump in the last quarter of 2022.
Obtaining cyber insurance may once have been a simple process. However, the growth and complexity of the cyber landscape has changed the process, and companies wanting to qualify for reasonably priced cyber insurance have a significant burden of proof. They need to prove to insurers that they have strong security controls and are compliant with cyber security mandates.
While there are many methods for demonstrating strong security controls, three areas stand out. These areas include security assessments, breach and attack simulation, and asset intelligence.
Security Assessments
Security assessments are a fantastic mechanism for leveraging experts to penetrate, assess and measure the effectiveness of your security controls. They can also effectively measure how well trained the incident response team is and how well its procedures work in the face of an incident. The deliverables from these assessments can help identify and prioritize potential issues with your talent, techniques and technology that can impede the effectiveness of an organization’s security controls.
Breach and attack simulation
Third-party penetration testers as well as internal red, blue and purple teams can use breach and attack simulation solutions designed to validate the effectiveness of security controls, from endpoint protection and network firewalls to email protection and SIEM. They perform real attacks such as data extraction and malware execution to determine if security controls prevent attacks from being successful.
They can also determine if attacks are detected and generate alerts for hundreds or thousands of attack types. The resulting output accurately matches successful attacks to failed security controls while offering actionable regulatory adjustments — ensuring optimized and validated controls are in place.
Asset Intelligence
Asset intelligence can provide abundant, evidence-based, actionable data where regulatory compliance and cybersecurity meet. It is an area where auditors spend significant time because when assessing a system, it is of utmost importance to understand the entire spectrum of an organization from a risk perspective. You gain this understanding just in time because auditors often deal with regulators and insurance companies at the same time.
From a security perspective, asset intelligence based on evidence-based security data—rather than simply inventorying devices and software—can help organizations comply with regulatory standards. These standards, after all, are designed to ensure that certain security controls are in place. This data is also what insurers look for when writing a cyber insurance policy.
For organizations, the benefits of asset intelligence include:
• Risk mitigation, which is an important compliance discipline and some of the best data you can have when applying for cyber insurance.
• Faster detection of security gaps, which is an essential step in the risk reduction chain of vulnerability detection and mitigation, as well as another critical factor for regulatory requirements and insurance confluence.
Undisputed evidence-based data showing that an organization is taking a proactive approach to risk management can translate into more favorable terms for cyber security, including lower premiums and other factors such as the length of a policy. With car insurance, if you can show an insurer that you live in the middle of nowhere and your nearest neighbor is 50 miles away, you will pay less for insurance. With cyber security, the data you mine is worth dollars and cents.
It can also benefit insurers by making them more competitive. A better understanding of a company’s security posture not only allows insurers to offer a lower rate, but also gives them the flexibility to tailor policies — tailoring them to the unique needs and risks of the business.
conclusion
Cyber insurance is vital for businesses operating in the face of increasing threats and the potential for costly, reputation-damaging breaches. A company that can assess its security, conduct breach and attack simulations and provide a clear picture of its business should have more favorable insurance terms.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Am I eligible?
