As cyber risks and the threat of cyber attacks have increased for small and medium-sized businesses, so has the need for cyber liability insurance. Cyber insurance helps you cover costs involved with mitigating and recovering from a data breach. This kind of coverage is not usually part of your general business coverage, and you shouldn’t assume that you’re covered under your managed IT service provider’s plan, because you’re not.
You also can’t assume that you’ll never experience a cyber intrusion or encounter this kind of loss situation. No one can guarantee that you’ll never have a cyber attack, and when it happens, you’re going to want the resources that cyber insurance provides to deal with it.
Have you talked with your agent about cyber insurance yet? When you do, you’re going to find out that the requirements for getting good coverage are getting more intense, and premiums are going up as more claims are being filed.
What can you do to qualify for cyber insurance, and then get the best rates and coverage?
I talked with two Southern California insurance professionals, Jermaine Brown with INSURICA and Dana Dattola with Weaver & Associates, to get the story.
In this article, you'll learn:
- How Cyber Liability Insurance Pricing is Determined
- Your Security Stature and Risk Level Are Connected
- Four Cyber Security Tactics to Improve Security Posture
- Outsourced IT and Cyber Security Services Can Reduce Premiums
How Cyber Liability Insurance Pricing is Determined
When you fill out a cyber liability insurance application, you’ll need to provide a lot of basic information about the size of your company, your industry, and descriptions of your current technology infrastructure, IT staffing, support, security, and processes.
You’ll need to classify the kind of data you regularly interact with, including how much of it can be considered proprietary or is considered Personal Identifiable Information (PII). You’ll also need to describe your policies and procedures that control how data is gathered, stored, and transferred.
Applications vary in length and detail, but here are a few things you’ll typically have to answer:
- Do you have offsite backups? Do you test the viability of your backups?
- What's your data retention policy?
- Are you patching all operating systems and applications? What's your patching process?
- Do you process payments?
- Is remote access secured with VPN MFA?
- Does your web-based email utilize MFA?
- Are your systems encrypted?
- Do you have a disaster recovery/business continuity plan?
- Do you have internal safety controls for data access?
- Are you using next-gen antivirus?
- Do you have Endpoint Detection and Response (EDR) tools?
- Are you filtering email for spam?
- How often do you conduct vulnerability scans?
- How often do you conduct penetration tests?
- Do you conduct regular security awareness training?
- If you've already experienced a cyber event, what have you done to improve security to prevent the same thing from happening again?
(If you read that list and thought, "I have no idea...," for some of the items, you're not alone. We help business leaders work through the cyber insurance application process with their insurance providers all the time. Give us a call if you need a hand.)
Cyber liability insurance is still relatively new, and getting affordable coverage is still attainable for most companies.
"I haven't had an issue getting coverage for clients at this point, even if they've had a prior incident. But the better their system is protected, the higher the level of IT professionals and technologies that they're working with, the lower the costs will be."
- Jermaine Brown, INSURICA
Your Security Stature and Risk Level Are Connected
Much like any other policy, insurers need something by which to measure the level of risk that they’ll be sharing if they decide to issue coverage. By assessing your security posture through the application process, underwriters can build a picture of your risk exposure.
While the application is quite detailed, even this may not be enough for some carriers. Some are running external vulnerability scans on applicants. This allows them to actually test the company's defenses and get a more complete picture of their risk profile to determine pricing.
If you can’t check off every security tactic that’s listed on the cyber liability insurance application, that doesn't automatically disqualify you -- you'll likely be able to get coverage but expect it to be more expensive or not as good as you could have gotten if you had a better risk profile.
"Cyber coverage is still affordable but we are anticipating large increases on renewals and more 'warranties' in the policy which reduce coverage if insureds don’t properly follow risk management practices. For example, your coverage will reduce by 50% if you fail to install any known patches to your applications within 30 days of notice. We recommend EVERY business obtain cyber liability and also work with a professional IT provider to put proper practices in place."
- Dana Dattola, Weaver & Associates
To summarize, there are some factors that you can’t control when it comes to getting the best rates on cyber insurance – like the size of your company, your industry, and the amount of proprietary and Personal Identifiable Information (PII) you store.
What you can do to improve your risk profile to get your best coverage and rates is to strengthen your security posture.
Four Cyber Security Tactics to Improve Security Posture
In case you haven’t realized it from the list of questions that cyber insurers are asking -- the baseline for security has changed. What used to be considered “advanced” technologies that were nice-to-have extras, are now considered foundational requirements for security.
So where do you start if you want to build up your security posture?
Here are four cyber security tactics that are becoming more important for coverage – and for establishing a more effective security strategy. Keep in mind that every tool that you add will need ongoing management.
- Endpoint Detection and Response (EDR) – This technology uses Artificial Intelligence (AI) to detect intrusions into the devices that are connected to your network and stop the intruders before they can move deeper.
- Security Incident and Event Management (SIEM) – This technology keeps detailed records of network activity so that when a cyber incident occurs, you can find out exactly what happened.
- Internal & external vulnerability scanning – Vulnerability scanning is used to test the effectiveness of your security tactics and uncover areas that need to be improved.
- Multi-factor authentication (MFA) for remote access and web-based email systems –This requirement validates the identity of people who are accessing corporate accounts.
Outsourced IT and Cyber Security Services Can Reduce Premiums
Insurance companies look favorably on businesses that outsource some or all of their IT management. That’s not to say that companies with a robust internal IT department wouldn’t qualify for cyber liability insurance – they absolutely can.
However, insurance companies see businesses that utilize a managed IT services provider or managed security services provider as less risky. Outsourced services typically have their own insurance and are bound by contracts and SLAs, putting less risk in the hands of your insurance carrier.
Improve Your Southern California Business’s Cyber Risk Profile
When it comes to getting the best rates and coverage on cyber insurance, a better risk profile leads to better coverage and lower premiums. The best reason to improve your risk profile, however, is to prevent cyber attacks.
Accent Computer Solutions is a Managed Services Provider (MSP) and a Managed Security Services Provider (MSSP). We work in conjunction with your internal IT staff or operate as your outsourced IT department to create and manage IT systems that are predictable and secure.
Whether you need peace of mind about security, you want to find more ways to leverage technology, or you need a higher level of IT, we’re here to help. Contact us for a cyber security assessment to get started.