It’s a widely held belief among IT security professionals that it’s not a case of ‘if’ an organisation will suffer a cyberattack but ‘when’. With the volume and sophistication of attacks growing by the day, becoming a victim is almost inevitable.
Faced with these circumstances, organisations of all sizes are making significant investments in everything from security tools and platforms to staff awareness training and external support.
However, because the chance of suffering a disruptive and costly attack is never zero, increasing numbers of organisations are also taking our cyber insurance policies. These policies are designed to cover the financial losses caused by an attack and allow an organisation to recover much more quickly.
Cyber insurance can be thought of as the last layer of a defence-in-depth security strategy. If a cybercriminal manages to breach all the layers of protection an organisation has in place, the insurance will be there to assist.
Unfortunately, due to the rapid escalation of cyberattacks around the world, cyber insurance is becoming increasingly difficult to secure. Insurance companies are ramping up their list of measures an organisation must have in place to prevent attacks. They must also demonstrate they have the capability to manage those measures and maintain an effective level of security at all times.
Since they first appeared on the market more than 20 years ago, cyber insurance policies have evolved to reflect the constantly changing threat landscape. Policies vary between different insurance companies but tend to cover a core range of areas.
Most policies will cover loss of business income as the result of an attack as well as the costs associated with system restoration. Many will also cover the cost of extortion expenses such as ransom demands from attackers.
Some policies will go even further and offer coverage for activities such as digital forensics to determine exactly how the attack occurred and the steps needed to ensure it can’t happen again. Some will also cover the costs associated with communicating details to clients about the impact of the attack and even costs associated with engaging a public relations firm to help restore the firm’s reputation.
To reduce the likelihood that they will need to payout on a cyber insurance policy, insurance companies will have a detailed list of requirements that organisations seeking coverage will need to meet.
These requirements will include everything from disk encryption on all laptops, desktops, and mobile devices to the segmentation of local-area networks. Insurers are also likely to require that multi-factor authentication be put in place as well as end-point detection and response capabilities.
Insurers are also likely to require that firms undertake regular security awareness training for their staff and also conduct annual penetration tests of their IT infrastructure.
It’s also important to remember that insurance companies are likely to refuse to pay out if it can be proven that an attack took place due to unpatched or end-of-life software being used within a company’s infrastructure. This means that undertaking regular software checks is vital.
An opportunity for MSPs
This situation might be frustrating for organisations who find they need to invest additional funds into security measures in order to obtain insurance cover, however it actually represents a significant opportunity for managed service providers (MSPs).
Many organisations will not have the knowledge or skills internally that will be needed to deploy and manage the security measures required by the insurance providers. MSPs are well positioned to act as a trusted advisor and guide their clients through the steps they will need to take. They can also help with the selection of the most appropriate insurer and type of policy.
The need for cyber insurance is going to continue to grow as the extent of threats climbs. By understanding how it works and what they will need to do to qualify, organisations will be able to take advantage of this additional layer of protection.