Advice on cyber insurance.
Welcome to Cyber Security Today. It’s Wednesday, September 6th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
 |
 |
 |
Is your organization having trouble getting cyber insurance? Having trouble keeping cyber insurance? Having trouble getting a claim accepted under your cyber insurance? You’re not alone, according to Delinea’s latest State of Cyber Insurance Report. It surveyed 300 American organizations. Seventy-nine per cent of respondents said their insurance costs increased when it came time to renew. And of those, 67 per cent saw an increase on their premiums of at least 50 per cent. Almost all had to purchase at least one new security solution to get insurance. And some companies found it took six months or more to get or renew cyber insurance.
But look at things from the insurers’ point of view. Of those surveyed, 47 per cent of firms had to use their cyber insurance more than once. And, as everyone knows, the number of cyber attacks are increasing, as are recovery costs.
Small wonder insurers are increasing the number of exclusions in policies that allow them to refuse to pay a claim. Things like, the organization lacked IT security protocols, employees didn’t follow compliance procedures, the breach was caused by human error or the attack can be considered an act of war by a foreign government.
Large companies that can afford to spend on cybersecurity have an advantage over smaller ones. Only eight per cent of large organizations surveyed said were denied coverage. By comparison, 28 per cent of smaller firms said they couldn’t get cyber insurance. The top reason small companies were denied a policy is they didn’t have adequate security controls.
There are some lessons from the report. First, remember that cyber insurance is only a safety net that covers certain expenses. Cyber insurance is not cybersecurity. Second, the bar for security controls demanded by insurers is higher than ever, which may require spending on technical solutions and hiring skilled resources. Third, have your lawyer read the fine print of the policy before signing. There may be so many exclusions a policy isn’t worth it. Or, get insurance but have a rainy day fund for situations that won’t be covered.
A commentator for the SANS Institute had one thought that caught my eye: Firms should build a superb cybersecurity program and use that as an argument to get a discount on the premium. Or, look at spending and creating security policies as self-insurance.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
