Underwriters are under extreme pressure these days to counter the soaring number of ransomware payouts occurring all over.
Whereas companies’ policies have been outdated in terms of protecting customers’ needs, in several cases, courts have decided in favor of companies that have submitted claims. This has sent shivers throughout the insurance industry.
Insurers have countered vigorously by requiring very onerous demands. Insurers want full monitoring of the entire organization, a 24/7 SOC service, for instance. Moreover, they want endpoint detection and response.
For large organizations, these requirements present less of a problem. They have an army of people looking at these things all the time. For small and medium-sized enterprises, these new requirements call for sizable investments that have not been budgeted. This poses serious considerations.
This is not where the additional outlays end. It is probably safe to say that even with these tighter requirements, insurers will raise premiums significantly because of the billions of dollars they’ve had to pay out. If the industry is experiencing this surge in ransomware attacks, then everyone’s cyber insurance premiums will be affected. Insurers are going to recover that money they paid out. That’s just how insurance works.
Inevitably companies will have the double whammy of being required to make big investments and pay higher premiums.
For smaller businesses, when it comes to investments, they can take action to deflect the expenditures, at least in the short term. They can do that by understanding specifically what insurers are looking for. The key is that insurers want to see good, solid foundations for cybersecurity programs in place.
In the absence of 24/7 SOC or EDR, smaller organizations want to demonstrate to the insurance company that they’re following best practices and taking cybersecurity seriously.
Having controls in place could help to mitigate some of the insurers’ concerns. Even without a 24/7 SOC, you may have a tool that collects alerts and generates automated alerts to the person on call.
That may not be as real time as having somebody on the glass, but it’s an approximation, and you can present that control to the insurer as a mitigating factor.
Email is still a high vector of infections. If there is efficient control there, then that would also be a persuasive argument that you have put the right foundational elements in place. The same goes for endpoint: though you might not have an EDR, if you have a superior, reputable piece of antivirus, anti-malware software running on the endpoints and servers, that weighs quite solid, even if it doesn’t give you protections for zero day.
Most concerning for insurers at this point is ransomware due to the big payouts. If you demonstrate that your first line of defense – your users – are being trained and assessed, and you provide metrics to validate where they stand, then in a critical way it proves your commitment to a cybersecure environment.
It should be obvious, but I will say it anyway: essential to all this is to ensure that the good controls you have are fortified and working as advertised. Extremely important in making a convincing argument to the insurer of the effectiveness of the controls in place, is to demonstrate using metrics and other evidence. Taking these measures is a persuasive and verifiable validation that you are on top of things.
Smaller businesses may not be able to stave off those big cybersecurity outlays forever, but for the time being, convincing the insurer of your seriousness can benefit to keep you covered until that time.