How cybersecurity and insurance can work together
Cyber insurance is a market in its infancy and insurance brokers are looking for ways to better manage cyber risk. We’ve seen this recently in the case of Lloyd’s of London, which excluded state-backed cyberattacks from its cyber policies.
However, cyber insurers and managed security service providers (MSSPs) are approaching cyber risk from two different angles. MSSPs are focusing on how to secure an organisation against a potential breach, while insurers are looking at how much damage would be caused if a breach occurred.
Although they initially seem very different, these two approaches can and should work together. If MSSPs and insurers were to collaborate, the focus can be centred around how to better manage risk, leading to fewer cyberattacks and consequently fewer pay-outs. But how can we make this work? And what does it look like in practice?
Cyber insurance or cybersecurity?
Cyber insurance premiums have risen exponentially. Premiums rose by 92% in the UK in the final quarter of last year and, exacerbated by Russia’s invasion of Ukraine and the prospect of cyber warfare, this trend has continued through 2022. As a result, cyber insurance has quickly become unaffordable for SMEs in particular, with almost 30% cancelling their policies in 2021 to save money.
For smaller businesses in UK, rising premiums have unfortunately also been paired with a struggle against the cost-of-living crisis and spiking energy costs. External pressures on already protracted cybersecurity budgets have forced SMEs make a choice in what they invest in: cybersecurity or cyber insurance. But neither alone is fit for purpose.
All businesses, small and large, need cost-effective and commercially flexible cybersecurity and insurance solutions which can only come from cross-industry collaboration between MSSPs and insurers.
The central question is how can MSSPs and cyber insurers work together to benefit themselves, their customers and the market as a whole?
First, it’s the role of MSSPs to support organisations in achieving a foundation of strong cyber hygiene and improving cyber resilience with a proactive, combined cybersecurity solution. From there, an organisation will be better positioned to approach insurers and secure lower premium costs. This solution should include a minimum of basic cyber awareness training made available to teams; business continuity and incident response (IR) plans ready to use in the case of a breach; a comprehensive suite of back-ups that is regularly updated; and consistent threat detection and response services.
Vulnerability assessments are the next key step for MSSPs to support with. Regular scanning identifies unknown vulnerabilities in internal and external systems, enabling an organisation to respond to and remediate vulnerabilities before cybercriminals can exploit them. Vulnerability scanning can also include Dark Web monitoring to detect if compromised business credentials are for sale on the Dark Web.
Vulnerability scanning serves an essential purpose for insurers. If an organisation prioritises regular scanning, it acts like a black box for a car. Insurers can receive up-to-date data on a customer’s cyber resiliency, and consequently more accurately measure risk and price premiums. Real-time data should be provided by MSSPs to insurers and play a more central role in cyber risk assessments and cyber insurance policies for everyone’s benefit.
Finally, insurers need to start looking at cyber risk slightly differently. Many primarily assess the amount of damage that can be done, and how much this would cost, in the case of a breach. Yet they need to shift away from viewing this as the central consideration and start analysing how safe and secure an organisation is – how mature is this company’s cybersecurity, how many attacks have they mitigated, how regularly is vulnerability scanning used to provide a reliable, real-time risk posture? Working with trusted partners in the cybersecurity industry is crucial to help shift this mindset, enabling insurers and MSSPs to embark on collaborative partnerships and reduce risk together.
The threat landscape is no easy place to be, especially for businesses with low budget and resource. Organisations both big and small need to identify the best way to reduce their own risk of falling victim to a breach, therefore resulting in more affordable premiums. One of the most cost-effective and proactive measures to achieve this is investing in a cyber retainer. These can be designed bespoke to the specific needs of a business and guarantee ROI by rolling over time and money not spent responding to an incident to improving in the company’s overall cybersecurity posture. The small, regular cost of a retainer can be planned and budgeted for, while also demonstrating the proactiveness and prioritisation of cybersecurity to insurers.
Cybersecurity experts and insurance shouldn’t be at odds with each other. The two can, and should, work together to find new and better ways to measure cyber risk, and price premiums, and protect customers.
About the author: Lawrence Perret-Hall is the Director at CYFOR Secure. He leads CYFOR’s commercial department with a strategic, consultative, and personal approach. Experienced in all disciplines at CYFOR, he is predominantly responsible for advising clients on the management of digital evidence, including the application of Forensic techniques and eDiscovery technology.