The truth: Cyber risk has increased exponentially in the past few years. Massive waves of ransomware attacks from increasingly sophisticated cybercriminals have led to major increases in Cyber Insurance premiums (around 50%).
Insurance companies live and die by their ability to accurately quantify risk, and cyber risk is no exception. Actuarial science powers a global market of insurance premiums worth $7 trillion annually. Due to the exponential increase in cyber-attacks caused by a surge in simple but scalable cybercrime, businesses have endured financial blow after financial blow. Most businesses recognize their cybersecurity strategy must change, and cyber insurers that make decisions about coverage using advanced statistical methods continue to increase their pivotal role in determining what that change entails.
Changing Cybersecurity Priorities
Self-assessment questionnaires are getting more detailed as cyber insurance underwriters seek to understand the applicant’s cybersecurity posture, from the finer details of multifactor authentication (MFA) to exact group policy rules for Windows Active Directory (AD). Most businesses can say they have some of these strategies in place, but rarely can they tick every box. Therefore, they must make investments in tools or headcount to make up the difference. Failing to invest might mean denial of cyber-insurance coverage or significantly more expensive premiums.
Audit Before You’re Audited
The current state of cyber insurance offers some actionable opportunities for cybersecurity decision-makers.
First, don’t underestimate the power of an accurate cyber-insurance self-assessment, which is how cyber insurers judge businesses during the auditing and claims processes. Current self-assessment surveys ask surprisingly challenging questions and cover a wide set of fields from backups to AD security to MFA. It is important not to treat this as a formality and to ensure that information is entirely accurate; cyber insurers are more than willing to decline coverage and even sue if a business falsely claims, for example, that it has MFA protection across all its digital assets. Failure to document preventive measures is nearly as bad as not having those preventive measures in the first place.
If you’re unsure about your cybersecurity posture, reach out to us for a complimentary Cybersecurity Discovery Call.