Cyber risk: Secure before you insure
Keely Wilkins is an Evangelist with the Office of the CTO as well as a Pre-Sales Security Engineer in Virginia. She has worked in the technology industry for nearly thirty years, holds an MS of Cybersecurity and a variety of certifications. Keely is currently studying toward a Master of Legal Studies specializing in Cybersecurity Law and Policy. She endeavors to find balance among transparency, predictability, and security.
In this article, Keely discusses recent changes in the cyber insurance market and how adopting a prevention-first security strategy may give you stronger footing in negotiating insurance rates and coverage. This article is part three of a three part series. Be sure to read part one, and part two.
What changes are happening within the cyber insurance market?
The items that have caught my attention include insurers declaring cyber to be uninsurable, their leaders advocating for technical training for brokers, stricter controls on cyber policies, and the issuance of a catastrophe bond for cyber risk. It has been a stressful time for cyber insurers, but they are turning a corner.
The insurance industry is not quick to change course. Its response to everything is calculated as it is meant to provide a measure of financial stability during brief periods of instability. Cyber risk is unlike other risk types; it must be managed differently. I am excited about the changes taking place in the cyber insurance market and the acknowledgement that security is the appropriate instrument to alleviate cyber risk.
"Today’s insurers have a role that goes beyond pure risk transfer, helping clients adapt to the changing risk landscape and raising their protection levels. The net result should be fewer – or less significant – cyber events for companies and fewer claims for insurers." – Allianz Risk Barometer Report 2023
What does it mean to rebalance cyber risk in favor of security?
In simple terms, it means committing to reduce cyber risk with security before transferring the risk to insurance. I have started calling it "secure before you insure".
There is a graphic in the WEF report: Global Cybersecurity Outlook 2023 that offers insight into the gap between investing in security vs. insurance. The question posed is "Has your organization submitted a claim using your cyber insurance policy in the past two years?". For organizations with 1,000-100,000 employees, nearly 60% had successfully filed a claim. "Successfully" means the insurance company paid the claim. This likely resulted in stricter controls being mandated moving forward. Approximately 20% of respondents declined to answer.
If those organizations shifted their focus to a prevention-first security strategy, they would suffer fewer breaches and file fewer claims.
How can an organization start the process of reducing their cyber risk?
A security workshop (gap analysis) is the first step. The objective of this analysis is to ensure that the appropriate security controls are deployed, the code is current, the systems are patched, and the configurations are correct. This level of assessment also helps leadership identify opportunities for cost savings that will not hinder the effectiveness of the security posture. One example of this is the consolidation of vendors. Not only does it limit the number of contracts to be managed, the disparate training needed for the security team, and the time lost in trying to manage multiple dashboards, it may also save $290K per breach. In the IBM Cost of a Data Breach Report 2022, it was stated that having a complex security environment adds $290K in costs per breach.
The gap analysis report should provide a prioritized list of changes to be made. That list typically includes patch management, code upgrades, configuration corrections, micro-segmentation, identity management, and graduates into larger requirements that take time and budget to rectify.
Once the gap analysis is digested, an action plan should be developed to put time, budget, and resources to each item to be addressed.
This process should be repeated annually to measure progress and assess evolving needs.
Does reducing cyber risk help lower insurance premiums?
I am not an insurance broker, so I cannot answer that definitively. Logically, if the insurance company is covering a lower level of risk because of the commitment to strengthen the security posture via preventative methods, I expect the cost would be lower. #secureB4Uinsure