While there is no precise ‘how to’ guide on how to lower your cybersecurity insurance policy premiums because every single business is different, you can hedge the bets in your own favor.
We’ve put together 4 tried and true best practices to help you up your chances of getting a more manageable cybersecurity insurance premium. Let’s review.
If it’s old, or you don’t need it anymore...get rid of it. We’ve seen scenarios where organizations need to comply with 50-year-old privileged data. It costs them a fortune just to secure it. Do not become a data hoarder. Especially when that data is protected by compliance regulations – something you will need to meet in order to qualify for most cyber insurance policies. Determine what data you can eliminate and purge. Then you’ll have less compliance hoops to jump through and an easier time getting an affordable cyber insurance policy.
While this might seem obvious, it’s a bit trickier to determine than you’d think. We’ve seen so many businesses buying too much coverage, or not distributing that coverage where it needs to go. It’s deceptively hard to navigate! That’s why we’d recommend partnering with a consultative broker or an IT consultant with some connections. They can give you a baseline of coverage that your peers are using and take a deeper dive into your environment to ensure that you have coverage where you need it and less where you don’t.
We learned in our recent Security User Group that the cybersecurity Insurance market deems the following Security Controls Important.
How are you detecting and preventing cyber threats? Underwriters will investigate how and if you’re performing Multi Factor Authentication. They’ll want to know how you’re protecting privileged accounts and data, how you’re securing remote access, and how you’re managing administrative access. [1] Check out our MFA checklist for more information on what you’ll need.
This also includes Endpoint Detection & Response (EDR), Email filtering, and web monitoring. Ultimately, you need to have security protocols in place that ensure you know who’s accessing your network and data. The level of detection and prevention you need depends on your environment.
This has been a hot topic lately. Are you using immutable or mutable backups? AirGap backup strategies, etc.? While it’s not written in stone just yet, we predict that mutable backups (backups that can be altered) will soon get ousted in favor of immutability. We’ll talk more about a few of our partner accounts like Cohesity that offer AirGap Backup services, immutable backups and offline data storage in some future blogs so make sure you subscribe so you don’t miss out.
This area also covers tabletop exercises and testing. Are you performing ethical hacking and pen testing to find and mitigate any potential vulnerabilities in your data backup and disaster recovery strategies? Knowing this will only help your insurance provider write the best policy for you and hopefully save you a few bucks in the process.
How are you protecting your network? Are you regularly patching vulnerabilities or just letting issues slide for months on end? How are you managing privileged access? Is your network wide open to all visitors, or do you have protections in place? Are you performing network segmentation? These are just a few of the questions you should be asking yourself. If you need assistance upping your network protection game, let us know.
Do you currently have an incident response plan in place? This could include a Business Impact Analysis (or knowing how supply chain upset could impact your business) and security awareness training for your employees. Ultimately, insurers want to see that you have protections in place and have a plan for recovery if those protections are not sufficient.
Security Awareness Training is a HUGE preventative measure, as most breaches and ransomware attacks happen on the user level. Do your employees know what it looks like to get phished, and do you have a reporting strategy in place? Are you regularly testing them and your incident response?
All these components are going to affect your premiums and the type of coverage you’ll be eligible for. Check the boxes for the safety of your own environment and for your wallet.
We’d recommend leveraging the help of an experienced cyber consultant at that point or looking into a vCISO offering to survey and write security policies based on your environment’s needs.
For a more detailed look at Ransomware Protection and MFA requirements, check out our cyber insurance resource page and download the checklists!
As an IT consultant, it’s difficult to suggest this without sounding like we’re selling you something. The truth is, no matter what IT Consultant you consider (even if it’s not us) you should find one that is knowledgeable of cybersecurity insurance requirements. Is this an extra expense, maybe. But you’ll likely end up saving more in the long run by getting a targeted idea of what type of coverage you’ll need. The right consultant can help you improve your security policies and work with your insurance broker to shop for the best premiums and connect with insurers better suited for your business.
We heard recently that you can’t go straight to insurance companies for cyber coverage, but must go through a broker, and honestly this is for the best. There are hundreds of insurance companies you've likely never heard of, and your broker can bid your case to all of them. They'll be able to narrow down your options to companies that have agreed to write for your case. This will save you endless amounts of time.
Whether you need help improving your security hygiene, creating better security protocols, or simply need a liaison between you and your cybersecurity insurance broker, IE can help. Check out our vCISO offering for help with security policies and consulting, or feel free to contact us directly if you’re not sure where to start but need a change.