News

secure computer

Cyber Insurance Driving Risk Reduction

If you are a business owner or decision maker in a small business, you've probably dealt with cyber insurance in the last few years. It's certainly not a "fire and forget" type of policy like an E&O (errors & omissions) or D&O (directors & officers) policy. The changing world of cyber attacks has driven changes in cyber insurance coverage almost annually.

Now we have some proof that having a cyber policy not only protects you when the going gets tough, but also helps prevent you from ever getting to the tough.

While the report references the services and software made available by the carriers as part of the policies, we see the carriers' prerequisites as being most beneficial in small businesses.

I've seen this since my first day working in a cybersecurity job 20 years ago. An organization isn't going to act unless there is a force requiring it to act. In worst cases, that force is the fallout from a massive and devastating breach. In better cases, that force is a requirement from a government, a regulatory agency, an industry trade group, a business partner or client, or an insurance carrier.

As we tend to do in so many other areas, we don't want to act until we can see the consequences of not acting. We don't exercise and eat better until we can't fit in our pants any longer. We don't go to the doctor until we feel a pain that just won't go away. Cyber attacks are constructed in a such a way that when you feel the pain, it's already too late. They are built that way to maximize the pain and put you in a better mood to pay up.

There are a plethora of regulatory and voluntary frameworks out there. While insurance carriers typically don't prescribe or require adherence to a full set of controls, they will prescribe some most basic controls like encryption, malware protection, managed remote access, and certainly multi-factor authentication. These are meant to make you less palatable to cyber attackers.

While the requirements to get a cyber insurance policy aren't very strict, they are improving year over year. The insurers are paying out record claims on their cyber policies and that's not good for their business. Just as they wouldn't want to insure a house made of flash paper, they don't want to insure your poorly secured business (at least without charging you an arm and a leg). They know these proactive measures reduce your risk and, therefore, their risk of paying a claim on you.

It's good to see the proof that these controls work, even if they are only a tiny subset of what a business should consider. Do yourself a favor and see how these things could help your business better fend off a cyber attack.