Cyber Insurance is difficult to manage for a lot of our smaller customers, and it’s not just because it can be expensive. Insurers are becoming more demanding, and those demands are becoming more specific. Our fear, frankly, is that outside money and influence will drive insurers to focus on a small subset of products and services, at the expense of a comprehensive security posture. As a small company ourselves, we feel the very real existential threat of being squeezed out.

And even setting those fears aside, cyber insurance isn’t cheap. Although premiums aren’t increasing as fast as they used to, they’re still continuing to rise, and the overall cost of getting insured is double-digits higher than it was last year.

Motivated by these concerns, we thought it would be beneficial to get some advice on how to ensure your organization can 1) qualify for cyber insurance, 2) secure the lowest premiums possible, and 3) make sure security remains a high priority. So, always open to a second opinion, we asked a few CISOs for their take on cyber insurance at large, hoping to gain a different perspective. Here are their responses, unfiltered.

Meet the CISOs

Nigel Sampson is the Global Leader of Cybersecurity for IDG and a member of NIST COI for Zero Trust. He brings extensive experience from a diverse background, having served in previous leadership positions within the healthcare, financial services, communications, technology, transportation, cybersecurity, and digital payment processing sectors. His current role at IDG involves strategic planning, IT risk management, and security assessment for the multi-billion-dollar market intelligence and demand generation firm.

Chad Walter is Chief Revenue Officer at Paperclip, a technology partner providing secure document capture, processing, and storage. In his scope of work, he helps to create secure, encrypted critical data environments that prevent hostile takeover and ransom-related manipulation. Chad’s areas of expertise extend to corporate strategy, team building, searchable data encryption, account management, and more.

Anthony Dagostino is an insurance executive with two decades of experience within the insurance and risk management arenas. Focusing the majority of his career in cybersecurity and technology, he built and led highly successful and profitable underwriting, broking, and consulting teams. Anthony has advised some of the world’s largest companies on risk management strategies, practical applications for risk quantification, and operational risk-focused approaches to cybersecurity.

Q: Based on your experience with cyber insurance, what are some of the key elements other leaders in the security industry need to be aware of when looking at purchasing a policy?

Nigel: I have a few ideas.

• Firstly, work with a broker instead of going directly to a carrier. This will provide a broader selection of carriers and a better price.
• Have the broker shop for at least 3-5 quotes. Rates are coming down, so chances are on your side.
• Ensure that the policy includes the cost of incident response professionals who will be involved in recovery.
• Ensure you have a documented information security program. The carrier will likely ask for policies and procedures. This may be before the policy is underwritten but could be requested after an incident and a claim is made.
• Look for carriers that can cover at least $5 million dollars. The average cost of a breach is now around $4.5 million. The policy will cover this and some business costs.

Chad: When answering the insurance provider’s questionnaire, answer it honestly for two reasons:

1. There is a high probability that the insurance provider will audit your answers and
2. Your answers can be used against you in the event of a breach. If it is determined that you falsified your cybersecurity position, you may be denied a payout when you find yourself needing it most.

It is becoming more challenging to get cyber coverage as carriers are more selective on who they cover and for how much. Much like insuring a home that requires you to have working smoke alarms, proper drainage, etc., cyber insurance providers expect you to have adequate protections in place.

Anthony: The increasing severity and frequency of ransomware attacks in the recent past have forced cyber insurance companies to be more demanding on their clients in terms of what protection they need to have to qualify for cyber insurance. Be aware of that, and just make sure you have your ducks in a row before going in. That could save you a lot of time and be the difference between getting a policy and getting denied.

Q: What advice can you share to help others understand the benefits, what to look out for when selecting a provider and how they can lower the cost of their policy?

Nigel: The benefit of finding a good carrier is that the carrier has a history of responding quickly to incidents and assisting with the recovery by providing cyber experts to help with incidents.

Lowering the cost of a policy depends on the level of maturity of the information security program. A well-documented program that includes good vulnerability management, patch management, documented policies, procedures, and regular penetration testing goes a long way to reducing premiums. Providing a SIG may also add to lowering the premium.

Chad: When we talk about benefits, we have to temper expectations. Remember that cyber insurance is NOT a cybersecurity program. It is part of your recovery and/or your continuity program, but cyber insurance will never keep you from suffering the impact of an incident or breach.

As it relates to cost reductions – if you want to reduce the cost of your cyber insurance, invest properly in a cybersecurity program that includes data encryption.

Anthony: You absolutely need to have the right controls in place if you want to lower your policy amount and, increasingly, if you want to qualify at all. The main three that we look for now are:

• Patching CVEs and open vulnerabilities on the public-facing web
• An incident response plan that is in place and tested
• Multi-factor Authentication (MFA), this is now critical.

Q: What are your predictions regarding the pricing of cyber insurance in the foreseeable future?

Nigel: Premiums are coming down as companies improve cybersecurity maturity and threat actors are being caught or disrupted. Technologies are also getting smarter and providing better protection of company assets. However, carriers will begin to ask for more and more details of the information security program, even bordering on full risk assessments. In the future, businesses may have to provide the last information security risk assessment conducted by a third party.

Chad: Due to the rise in organized cybercrime, the need for cyber insurance will continue to escalate and therefore, so will the costs. Not only do you need cyber insurance to protect your business from the impact of a cyber incident or breach, you may now need to prove cyber insurance coverage to win or retain business.

Anthony: What’s really going to make the difference going forward in terms of price is going to be how well prepared you are as an organization. For example, MFA is just a given now. It’s like sprinklers in the factory; you either have it, or you’re out of luck. But when it comes to lowering costs, we’re seeing “good driver discounts” for those with certain critical or highly valuable security components already in place. As the increasing quantity and severity of incidents drive the risk up, organizations and carriers are working together to lower premiums on a case-by-case basis by making those merit-based discounts available.

Q: As a security leader, what is your stance on being told which tools you should be using to protect the company assets?

Nigel: I am always open to suggestions but would not be open to prescriptive tools. Security leaders should understand their business and create a security program customized to the business. For a third party to determine specific solutions could create more risk, not less.

Chad: As a cybersecurity leader, I am always skeptical when I hear that a cyber insurance company is pushing specific cybersecurity tools. Suggesting tools that other clients leverage for specific needs can be beneficial, but requiring a specific vendor’s tool is always suspect. Cybersecurity leaders have to evaluate tools related to their specific needs and programs.

Anthony: I can’t speak much to individual tools, only to the fact that you will find insurance companies willing to subsidize, incentivize, or otherwise work with you to help you obtain the tools needed to help you qualify for coverage. I will say that a significant concern is ransomware protection.

If we want to talk about controls, there are at least ten that I know companies are really looking for right now. Those include, but are not limited to, MFA, offline backups, incident response plans, network segmentation, patching cadence, privileged access management (PAM), and identity access management (IAM).

In Conclusion

The answers above are insightful and accurate, no doubt, and a big thank you to Nigel, Chad, and Anthony for your input. Here’s to surveying the landscape, assessing the risks, and implementing practical solutions that give you the best bang for your buck.