In a recent episode of our Cybersecurity Simplified podcast, we talked about how the risks of ransomware are becoming too high for some cyber insurance companies. But the ramifications of this trend extend well beyond ransomware to include all cyberthreats.
That means we need to rethink our perceptions of cyber insurance and, most importantly, how it fits into our cybersecurity risk-mitigation strategies.
Myth 1: Cyber Insurance Removes Risk of Threats
Contrary to popular belief, cyber insurance isn’t a security blanket that removes the risk of cybercrimes like ransomware. It’s a safety net so that the fall out of an attack – business disruption, data loss, system restoration, etc. – is not as damaging or debilitating for the victim.
Increasingly, cyber insurance companies like AXA are refusing to reimburse companies for ransomware payoffs, which have grown in volume and value. (Payouts are even blamed for the uptick in ransomware attacks). Not coincidentally, AXA was hit with a ransomware attack right after it announced the policy change. Bad actors are none too pleased about cyber insurance companies drawing the line and following the government’s advice not to negotiate with cyberterrorists.
That doesn’t mean cybercriminals will back down; they’ll just change tactics. And so must you. It’s time to rethink the way you view cyber insurance and its role in cybersecurity risk mitigation.
Myth 2: Cyber Insurance Replaces Cybersecurity Measures
Don’t expect cyber insurance to be blanket protection against financial loss from breaches. Going forward, underwriters are unlikely to cover your business without proper security measures in place.
You’ll need to provide proof of your processes and precautions, including the cybersecurity solutions you deploy and the third-party vendors or managed services providers (MSPs) you’ve engaged in protecting your systems and data.
If you don’t have the proper measures in place, cyber insurance companies may deny your claims. Whether they pay up or not, expect your premiums to increase – possibly dramatically.
Computer Weekly reports that in June 2021, insurance pricing worldwide increased by an average of 32 percent year over year.
Myth 3: Cyber Insurance Covers All Breaches
Even if you have cybersecurity measures in place, you still may not get a payout when your systems are breached. Cyber insurance companies may only cover you when your robust cybersecurity measures fail through no fault of your own.
A good example is a zero-day attack for which you could not have been prepared. (Zero-day refers to an attack with zero days between the time the vulnerability – a flaw in the software, firmware, or hardware – is discovered and the first attack.)
Myth 4: Regulatory Compliance Qualifies for Cyber Insurance Coverage
Just as cyber insurance companies are not likely to cover any and all breaches, they also are not likely to issue policies without any evidence of cybersecurity measures. That means if your company is doing the bare minimum to meet regulatory compliance requirements, you still may not be covered.
Underwriters may only insure your business if you have the right cybersecurity controls in place. The likely measures they will look for include:
- Data Backup, which involves copying physical or virtual files or databases to a secondary location in case of failure, breach, or disaster
- Multi-Factor Authentication, which requires multiple methods – a password, security token or fingerprint, etc. – to verify a user’s identity for a login or other transaction
- Penetration Testing, which employs ethical hackers to mimic attacks to evaluate an organizations security vulnerabilities
- Security Awareness Training, which addresses human error in breaches by educating employees about security threats like phishing
- Patch Management, which is the process of keeping hardware and software up to date to eliminate security vulnerabilities for cybercriminals to exploit
- 24/7 Monitoring, which employs detection and response technologies that are managed around the clock by expert security analysts for both automated and proactive remediation.
Overwatch by High Wire Networks delivers advanced managed cybesecurity services through a network of trusted MSSP partners. We arm our partners with our market-leading security platform and the expert resources to deliver best-in-market managed cybersecurity services.
The best practice is to pay close attention to the details of your cyber insurance policy. If they require a specific type of backup or regulate the scheduling for your backup process, make sure you comply.
While these extra precautions may seem overly burdensome, keep in mind that they are doing more than satisfying the underwriters, they are safeguarding your systems and your data.
Overwatch Managed Cybersecurity Services
Leave a Reply