230,000 new pieces of malware are created every year, the frequency of data breaches is increasing with 11% of Australian businesses breached each year, and even the cost of a breach is up 6.4 percent over the previous year to USD$3.86 million. Companies are increasingly reliant upon their digital functions for their core operations, and with cybersecurity threats increasing, cyber insurance is the largely unsung protector of organisations from the direct and indirect costs of a cyber security breach — and not having enough coverage can be costly. Cyber insurance is no longer optional.

Cost of a Breach – Courtsey of IBM

Why Cyber Insurance is Necessary

Cyber criminals, like their physical world counterparts, will focus on low-hanging fruit in terms of who is easy to acquire target, and who is most vulnerable. And that could potentially be you, even if you think you’re not a prime target. Cyber criminals will look at all attack vectors and exploit the most available, not necessarily the most valuable. No company in the world is fully safe, but it is up to the organisation as well as their vendors to ensure they are constantly mitigating those risks to avoid:

  • Business Downtime
  • Loss of sales to the business
  • Damage to the brand and reputation
  • Costs of investigation and resolution
  • Compliance issues, fees, penalties, government bodies plus dealing with the mandatory data breach legislation

While enterprise organisations are accustomed to dealing with threats, half of all malware targets are now small businesses. In some countries, full-scale organisations have been created to conduct cyber attacks, replete with support teams through to a board of directors. These operations are incredibly professional and incredibly dangerous – organised cyber crime is an established and serious industry, regardless of its legality.

As with all threats, the option to hedge against them for a fee has been established and evolved. Cyber insurance protects you from the costs associated with any potential compromises with ramifications ranging from potential regulatory fines and penalties, civil cases launched by users, to being rendered unable to do business while the breach is resolved. With the modern threat landscape, it’s vital for just about any business to be covered.

A cyber security attack can be devastating to a business. Many businesses that experience a substantial cyber security breach will close within a year. With the appropriate level of cyber insurance, the chances of a catastrophic failure are significantly decreased.

How Cyber Insurance is Calculated

As with any other type of insurance, cybersecurity insurance premiums are calculated based upon the organisation’s risk factors and the required level of coverage. Some major risk factors include:

  • Size of the business. A small business is naturally going to cost less than a large enterprise to insure. In general, the amount of revenue that your business brings in will have a direct impact on the cost of your policy, as it correlates to the amount of activity your business conducts, and the associated risk profile.
  • The industry the business is in. Some industries are naturally more risk-prone than others. A business that does strictly eCommerce, for instance, is going to cost more to insure than a pure brick-and-mortar retailer with a relatively tiny digital footprint.
  • The amount and type of records the business stores. The cost of a cyber security breach is often measured based on the nature and scope of records that have been breached. The more records the company maintains, the level of sensitivity, the greater the potential cost. A medical facility or financial institution is going to be greatly impacted, while a clothing store less so.
  • The coverage the business requires. Businesses can control their premiums by purchasing more or less coverage, and with risk appetite being taken into account.
  • The measures the company has taken to protect themselves from occurrences of cyber crime, and the steps it’s taken like pentesting and cyber assurance to install protocols to address the extent of damage, and provision of remediation.
Caluclating ROI for Cyber Insurance isn’t Easy, But it’s Important

If a company wants to know how to reduce cyber insurance premiums, it should consider addressing the above issues through self-assessment and then an independent security audit from a reputable organisation like Fort Safe as priority. From there, it can consider bundling any existing insurance policies, and looking for additional discounts before taking more active and direct steps.

How You Can Actively Reduce Your Cyber Security Premiums

One of the easiest ways to reduce the cost of cyber insurance premiums is to work with a specialist security organisation. A credentialed security service company like Fort Safe will be able to provide an audit of core operations’ technologies through to more detailed deep-dive evaluations of code used in apps or systems you may have developed or implemented. Like physical security, there is very much a ‘weakest link’ aspect to cybersecurity, as any vector for attack may be leveraged before a criminal pivots once your systems are compromised. This translates to the necessity for a holistic approach; from device management policy, through to full code reviews, to how data is encrypted when at rest, individual firewall rules, and everything in between. In performing these assessments, consultancies naturally make the company more resistant to a security breach, and can limit the potential any compromise may have if such an event were to take place.

There a few ways to immediately reduce cyber security risk and cyber insurance costs:

  • Conduct regular and routined penetration testing. This includes infrastructure and web application testing to help identify gaps in your organisation, giving you visibility over previously unknown issues and subsequently a chance to remediate.
  • Implement security standards such as two-factor or multi-factor authentication (2FA/MFA) and data encryption. These were ‘optional’ security measures for many years, that have since become essentially compulsory for modern businesses.
  • It can take six months for most companies to detect data breaches. Creating a plan for disaster and incident response. A cyber insurance company wants to see that your company can react quickly and responsively, typically augmented through a service like Fort Safe’s Incident Response.
  • Conduct a third-party security assessment and audit. A recent audit will show that you are invested in your company’s security and that you have analyzed, addressed, and proactively addressed any potential gaps in your security.

In general, the better your security is, the less risk you have, and the less your cyber security insurance will cost. In fact, with thoughtful and intelligent planning, working with an expert consultancy to develop and adhere to a detailed and effective security roadmap can have a positive ROI and reduced premiums are absolutely a part of that equation.

Prevention and Prepartation are Better Than Hope

Executive Buy-In

A holistic approach to ensuring your organisation is on board with their security departments approach is to raise these concerns at the executive level. Whether you are the CISO yourself and you are going in to campaign for budget around why this particular approach is required, if your IT or security team are developing the artefacts, or if you’re orchestrating service partner agreements, then ensure you have this aspect covered.

A few things to consider when you are communicating at this C-level:

  • Provide an overall threat landscape of the security industry; senior leaders can see where their competitors have fallen short or where they can see a breach in another sector and what that did for their company in terms of brand damage and overall financial impact.
  • Provide supported facts derived from the security team that paint a picture of the overall company security posture.
  • Ensure that you are displaying data and insights in a way that makes sense to people not from an IT or security background, and explain to them what these facts and figures mean.
  • Be factual in your approach which is then supported by your report or presentation – avoid anecdotal evidence in your approach, because it could potentially be overlooked.
  • Explain that if the company invests in security and the required insurance it will decrease the chances of being breached, and also there are clear and precise protocols in place in a scenario if a breach were to occur.

Why an External Approach Has Better ROI

A security consultancy will be able to limit the amount of exposure that an organisation has, improving their security posture and thereby reducing the likelihood of an incident, and as a by-product; also their cybersecurity premiums. A company like Fort Safe with expert security personnel forgoes the expense of developing internal capabilities through increased headcount of (very) high-salary human capital.

If you want to make sure your business is protected, the time to act is now. Organise a time to speak with us about how we can reduce your premiums and keep your business safe.