If the phrase “Great Scott!” in this blog’s title resonated with you, you might be a fan of the 1985 movie Back to the Future. It centered on Marty McFly and his pal, Doc Brown (the guy who shrieks “Great Scott” a lot, but it’s funny). Marty travels thirty years back to the past in Doc Brown’s time machine and spends the rest of the movie trying to get—yes—back to the future. See it if only for the gull-wing DeLorean, the most stylish way imaginable to travel through time.
Segue alert. Cyber insurance is a lot like a time machine. Ideally, it provides a reset, so that even if your organization suffers a breach, collecting on your cyber insurance policy gives you the chance to fix the damage and get back to business quickly. But while we avoid giving spoilers on this blog, sometimes, in the realms of time travel and cyber insurance, you don’t end up back where you started, not exactly. That’s all we’ll say about the movie. But cyber insurance: Why wouldn’t it be the perfect slate-cleaner? For one thing, getting a cyber insurance policy, and collecting on it, involves some hurdles. As the Compliance OS masters, our team at anecdotes will talk about cyber insurance requirements, and why a solid Compliance posture is essential whether or not you decide to purchase (or collect on) cyber insurance.
We’ve talked about risk before, but here’s a quick refresher. There are four main ways to respond to business risk, each with their pros and cons, and businesses generally use a mix of these approaches:
As cyber insurance payouts have soared, insurers have raised premiums — which increased by 53% globally in the third quarter of 2022. Cyber insurance policies have become difficult to obtain because insurers have also increased exclusions. In addition, insurers are imposing stricter underwriting cyber insurance requirements, demanding more evidence that an applicant for cyber insurance has strong security measures — and if not, an insurer may charge a higher premium, exclude ransomware and other events and items from the policy, or just turn down the applicant. And buying coverage against ransomware attacks doesn’t guarantee the insurer will pay up.
The lack of proper controls can be fatal, as seen in the case of Travelers Property Casualty Company of America v. International Control Services, Inc. (No. 22-cv-2145). There, a policyholder’s multi-factor authentication (MFA) turned out to be incomplete, contrary to its statement on its application — thereby leaving the organization exposed to a known vulnerability which was exploited by a threat actor. The result: The policyholder could not collect.
Finally, in the event of a cyber attack, what does cyber insurance cover? It covers a direct financial loss. However, if a policyholder who suffers a ransomware attack does manage to collect, they won’t necessarily be compensated for the reputational hit.
The cyber coverage insurance gap is significant enough that the US Treasury Department considered a national cyber insurance program as a backstop to cover “catastrophic” attacks that involve critical infrastructure.
But with cyberattacks becoming more frequent, severe, and expensive, the benefits of cyber insurance remain an important element of loss recovery measures in case of a cyberattack.
If your organization wants to get cyber insurance, it should take certain steps to prepare for the process. Without getting mired in details, here’s an overview of what to look for in cyber insurance coverage:
Your company should also consider the type and cost of the coverage it requires. Make sure your policy has enough coverage for your organization’s ever-changing needs. And at the risk of repetition, know exactly what your policy covers and excludes, including the triggers, limits, and conditions that affect coverage, to avoid unwelcome surprises later.
A company seeking cyber insurance can benefit from having strong Compliance. That may not seem obvious: Isn’t cyber insurance supposed to mean that you’re (mostly) covered when bad things happen? So why is Compliance still important?
The obvious answer: Whether it has cyber insurance or not, an organization that has adopted ISO, SOC 2, etc., will still need to show that it complies with those frameworks. But for a company seeking cyber insurance, a strong Compliance posture — one that reflects the presence of effective controls — can also do the following:
In fact, insurers are more frequently asking applicants whether and how frequently they undergo third party audits, including SOC reports and HITRUST certification.
Here are five Compliance-related cyber insurance tips that could help you get cyber insurance, as well as strengthen your defenses:
OK. It’s not a time travel movie. Still, the goal of cyber insurance is to get your company back in business as soon as possible in case of a cyberattack. But why not aim higher? Robust Security Compliance is a business’s best chance of meeting cyber insurance requirements, and getting it at better rates, without an exclusion for ransomware — while reducing the likelihood of being the victim of a cyberattack in the first place. Because really, you want that cyber insurance policy in case all your precautions fail – but wouldn’t you prefer to avoid having to collect on it, and face the disruption of a ransomware attack? When your Compliance posture helps you prevent bad things from happening, you can live happily ever after.
Using a Compliance operating system can scale up your risk and Compliance posture, enabling you to fulfill those cyber insurance requirements quickly and seamlessly. Get in touch today to discover how.
---------
*Compliance requirements around business continuity planning include:
**Compliance requirements around security awareness training for phishing include:
***Compliance requirements around EDR include:
****Compliance Requirements around MFA include: