It's a common challenge for many of us – navigating the daily risks that life presents. Whether we're behind the wheel, safeguarding our homes from potential burglaries, or embarking on international journeys, insurance has become an essential part of our lives. Some may argue that it's impossible to protect against every risk, as we don't live in a bubble. But what about safeguarding against cybercrime? If your company falls victim to cyberattacks, can you recover the damages? Cyber insurance appears to be the solution.
In the last three years, the cyber insurance market has witnessed an astonishing surge. It skyrocketed from $7 billion in 2020 to a projected $22 billion by 2025. Remarkably, close to 60% of small to medium-sized businesses have now secured cyber insurance coverage. What’s even more striking is that nearly 90% of cyber insurance claims are stemming from data breaches, contributing to a substantial 70% or more increase in cyber insurance premiums within just the past two years.
It’s crucial to highlight that the landscape of cyber insurance is evolving rapidly, with fewer insurers willing to provide coverage. Specialized insurers have significantly raised the bar in terms of qualifying criteria and minimum cyber resilience standards. The once straightforward cyber insurance qualifying questionnaire has transformed significantly. I can personally recall assisting my clients with these questionnaires just a few years ago. They used to consist of basic questions with assessments that lacked depth and complexity. In those days, a few pages of questions and answers were all it took to qualify for a policy.
In 2023, there has been a significant shift in how cyber insurance providers assess policy risk and evaluate organisations for their cyber resilience. Today, a proactive cybersecurity strategy, complemented by multi-tier protection utilising advanced detection and response systems like EDR, MDR, and SIEM, has become a fundamental requirement. This isn’t merely a new demand conjured up by actuaries to mitigate risk. Insurers are taking a pragmatic approach that directly influences how organisations design and execute their cybersecurity strategies. In the author’s perspective, cyber insurance has emerged as a major driving force behind the ongoing enhancement of cyber resilience and the maturation of cybersecurity strategies within organisations.
Traditional systems and methods like antivirus, anti-spam, and anti-phishing measures no longer suffice as qualifications for obtaining a cyber insurance policy. Insurance providers now thoroughly assess various aspects of your organisation’s IT infrastructure, including:
- Your disaster recovery and business continuity systems, including specific details.
- The policies governing your backup and recovery procedures.
- Hardware and software lifecycles, along with any systems that are still in production despite reaching their end-of-life or end-of-support status.
- Information about your endpoint detection and response systems, including the active protection techniques in place.
- Extended endpoint protection technologies, such as Extended Detection and Response (XDR) or Managed Detection and Response (MDR) solutions.
- The frequency and results of both internal and external vulnerability scans. Access control systems, encompassing Privileged Access Management (PAM) and Multi-Factor Authentication (MFA) practices.
- Risk management strategies, specifically those addressing social engineering fraud, payment diversion, and customer impersonation fraud.
- Email security measures, including attachment and link sandboxing, as well as Sender Policy Framework (SPF) enforcement.
- Your organisation’s cybersecurity awareness training initiatives, which should involve phishing simulations for employees.
As fervent proponents of cyber insurance, Exigence has forged collaborations with prominent cyber insurance providers to facilitate their clients’ eligibility for cyber insurance policies. Our support goes beyond simply responding to policy inquiries; it encompasses the thorough completion of supplementary questionnaires and engaging with insurance brokers to provide clarity on risk mitigation strategies and the deployment of critical controls and protective measures.
Exigence’s managed security services are strategically aligned with the evolving demands of cyber insurance, effectively addressing the escalating costs and qualification criteria. Our goal is to maintain a proactive stance by consistently embracing cutting-edge cybersecurity detection and response mechanisms. This approach not only offers a tangible advantage in terms of potential reductions in your cyber insurance premiums but also ensures compliance with policy requirements, including the insurance policy terms and conditions.
While cyber insurance policies are invaluable in mitigating financial losses in the event of a cyber incident, they may not cover all aspects of a cyberattack. For instance, reputational damage and loss of customer trust can’t be recovered merely by an insurance payout. Moreover, the rapidly evolving landscape of cyber threats makes it challenging to predict and account for all potential risks. Therefore, organisations must complement their cyber insurance with a robust cybersecurity strategy that focuses on prevention, detection, and response to cyber threats. This approach is a win-win because you get a cheaper cyber insurance policy while at the same time lowering your cyber risk posture.
Talk to Exigence about Email Security!
Exigence is here to assist your organisation in meeting the qualifications for a cyber insurance policy, all while delivering the tangible advantage of enhancing your company's cyber resilience. After all, wouldn't you prefer to prevent the need for a cyber insurance claim altogether? To learn more, we invite you to engage with our team for further information.