Are rising cyber insurance premiums a blessing in disguise?
Cyber insurance, once viewed as an affordable and desirable part of a reliable cybersecurity strategy, is quickly becoming unattainable for organisations. Premiums have increased dramatically in the last 12 months, with one report revealing the price of cyber cover grew by 92% in the final quarter of 2021 alone.
Devastating ransomware attacks are driving the increase in premiums and pushing more organisations towards cyber insurance to transfer the risk of an inevitable cyberattack to providers. In this dangerous and changeable environment, insurers can no longer accurately quantify risk, leaving businesses with insufficient and unmeasurable cyber hygiene in a cybersecurity deficit.
The dark side of cyber insurance
Cyber insurance is not the ‘silver bullet’ some businesses hope for and rely on. Worst case scenario, it can breed laziness and even incentivise cyber criminals. A recent Gigamon report found that 21% of organisations claim cyber insurance is their entire cybersecurity strategy and have no other processes or tools in place. It is extremely concerning given the current threat landscape – where cyberattacks are an inevitable – that over a fifth of companies have zero proactive cybersecurity measures in place to prevent a breach.
It is also worrying that cybercriminals may be more likely to target a business with cyber insurance. If ransom demands are paid by a victim organisation, these targeted attacks are quick wins for bad actors. And if these demands are covered by insurers, they ultimately constitute no long-term financial loss for the organisation. With research showing insured organisations are twice as likely to pay up than those without cyber cover, it’s understandable why providers are introducing more stringent requirements and increasing the cost of insurance.
The silver lining to rising insurance premiums
Although rising premiums do not initially appear as a positive, they are forcing organisations looking to take out cyber insurance policies to re-evaluate their cybersecurity strategies. By putting stronger security controls in place, they both improve their cybersecurity posture and better meet the rigorous assessments carried out by insurers.
So, what can businesses do to lower their premiums and bolster their cyber hygiene? The first step is a culture shift within the organisation. Ransomware attacks all involve a human element, so it’s crucial that this is remembered and prioritised in any cybersecurity strategy. Promoting a security-first mindset across the whole business, from intern to CISO, with regular education and training programmes, is central to reducing the likelihood of a cyberattack. By feeding back the outcome of these programmes to insurers, businesses can demonstrate their commitment to cybersecurity and how well staff are performing.
Organisations must also demonstrate that they are continuously and proactively mitigating and detecting threats within their environment. Large enterprises are likely to have the resource in-house to do so, but for smaller businesses who form potentially vulnerable parts of a supply chain, working with a trusted security partner to support threat monitoring efforts can be invaluable. An outsourced Security Operations Centre (SOC), in particular, brings together the aggregate value of cyber professionals that have extensive accumulated knowledge of the threatscape and can protect businesses of any size 24/7, 365 days a year.
Collaborating with a security partner and promoting a security-first mindset clearly signals to insurers that cybersecurity is prioritised by an organisation. Not only can this help reduce cyber premiums by offering insurance providers a better understanding of an organisation’s risk level, but it leaves businesses with far stronger cybersecurity to protect against increasingly dangerous threat actors.
About the author
Rick Jones is CEO and Co-Founder of DigitalXRAID, which provides cybersecurity solutions and penetration testing to businesses and organisations. He has an impressive career spanning 20 years of delivering cybersecurity strategies and network security architecture to large corporate businesses across the UK. Before launching DigitalXRAID, Rick ran a successful security consultancy where he honed his skills for developing and growing technology business.