Guest Column | May 18, 2023

Why Companies Should Consider Cyber Insurance When Navigating Today's Business Landscape

Cyber Attack A01 GettyImages-479801072

By Jonathan Goldberger, TPx

With so much discussion about the cybersecurity threat facing businesses, companies, and MSPs have two primary options to consider: reinforcing systems and cyber insurance.

Certainly, bolstering their systems to mitigate the threats posed by bad actors is critical. But an offering like cyber insurance also can help companies prepare for the worst-case scenario.

In short, cyber insurance shields businesses from internet-based and information technology infrastructure and activity risks.

While many businesses think their regular business insurance includes this type of coverage, a traditional insurance policy usually excludes cyber risks. That leaves them at risk should the worst happen, and a bad actor successfully targets them.

One concern businesses often cite for not procuring cyber insurance is its costs. While various factors will impact cyber insurance costs, including size, location, and preparedness, the cost starts at about $1,500 annually.

Because cyber threats are on the rise, cyber insurance providers have responded with higher rates — sometimes increasing 70% yearly. While this may make some businesses think twice before securing or renewing their policies, they should consider that cost against the cost of falling victim to an attack.

The cyber insurance industry has grown in recent years. What was a $7.8 billion industry in 2020 could grow to $20 billion by 2025, according to Insurance Business.

According to Hiscox, an international cyber insurer, nearly one in four small businesses (23%) suffered at least one cyberattack in the past year. Cybercrime is a growing threat that does not discriminate based on a company’s size or industry.

What Is Cyber Insurance?

Cyber insurance coverage goes beyond recovering a company’s infrastructure and could protect organizations against litigation.

It may include first-party coverage of data destruction, denial of service attacks, extortion, hacking, and theft. Coverage could also indemnify companies for losses that others caused from defamation or a failure to safeguard data. Other coverage benefits may include security audits, funds for rewards to apprehend the perpetrators, and coverage of expenses for investigations.

The short answer is businesses of all size needs cyber insurance. It isn’t limited to any specific industry but certainly includes e-commerce, retail, state and local governments, and professional service companies.

Cyber Insurance Requires A Thoughtful Approach

Insurance companies will require companies to get a third-party assessment — a risk assessment or a cybersecurity gap assessment — to make sure they are doing the basic “block and tackle” tactics.

Conducting a gap assessment is an excellent way for companies to understand where to begin. Cybersecurity renewals are essential; a third party can help validate any approach.

Credible third-party companies can conduct such an assessment and also offer many of the services that insurance companies want. These assessments may make companies eligible for cheaper premiums as an added benefit.

Don’t Forget The Basics

The good news is industry standards — including those outlined by the National Institute of Standards and Technology (NIST) or Cybersecurity & Infrastructure Security Agency (CISA) — offer a road map for businesses’ security programs. Both agencies have guidelines for the steps organizations can take to protect themselves.

Considering that human error is responsible for nearly 90% of successful breaches, the first step for companies is to consider an approach as simple as security awareness training. Gap assessments often bring these shortcomings to the front.

User training is important to educate staff on proper cyber hygiene, and how to identify threats and cyberattacks they may encounter via email, on the web, and in their daily routines.

Companies should use continuous training techniques versus only training employees once or twice a year to ensure cyber best practices stay top of mind.

Many people forego coverage if they don’t implement certain approaches, such as Endpoint Detection and Response (EDR) or System and Organization Controls (SOC).

EDR must be part of any cybersecurity program to get cyber liability insurance and help protect an environment with 24/7 monitoring and alerting. Running a Next-Generation Antivirus (NGAV) can improve an organization’s endpoint security.

Without tools like EDR, underwriters may determine the company’s risk is too great to cover. If they are in place, they can help companies lower the cost of their cyber insurance premiums.

Start The Process With A Conversation

The biggest mistake companies make regarding cyber insurance — and their security approach — is leaving it in the dark. Instead, they should bring it to the forefront with their partners, customers, and team members.

Everyone has a role to play in the modern security framework. Talking about security reinforces the idea that everyone can make a difference — and for MSPs, highlighting their security approach could be the difference maker.

Some providers have specific dates when companies can start or renew their policies. While dates may vary from one insurance provider to another, key renewal dates typically include July 1 and August 1 (and, less so, January 1).

Running a business is expensive and complicated enough. Ignoring cyber threats is equivalent to playing with fire, especially considering the opportunities companies have to act — whether it’s new security protocols or securing cyber insurance.

It can sometimes be frustrating fighting today’s threats; it seems like the battle will never end. But now is not the time for businesses to lower their guards; those who want to do harm are counting on fatigue.

About The Author

Jonathan Goldberger is an accomplished Senior Executive at TPx with more than 25 years of success spanning security and technology roles. He has diverse cybersecurity experience leading security consultancies at TPx, Cisco, Sourcefire, and Cybertrust, sales engineering at Venafi, and as General Manager Security Solutions at Unisys. Jonathan’s expertise extends across managed services and professional services from the enterprise to the small business. As an entrepreneur himself, Jonathan is keenly aware of the small business challenges and the need for security solutions that protect against the most relevant risks.