Cyber liability insurance has become an integral part of our current business landscape, whether you need it to protect your business or comply with industry regulations. And, if you're reading this right now, then you are probably already considering getting one. If you are, hold that thought.
Getting the best coverage for your business doesn't stop at finding a reputable and experienced insurance carrier; you have to play your part too. Preparing your environment before applying for cyber liability insurance can help you get better coverage and lower premiums.
To better understand why, we spoke with Justin Reinmuth, CEO and founder of techrug, our trusted insurance provider.
According to Reinmuth, preparation goes a long way when it comes to cyber policy. "The fewer headaches, the less the barrier to entry is; the less the coverage is. The more hoops you gotta jump over, the more work you gotta do, the more you gotta call your IT service provider to do something; the better the policy is written, the more coverage you get," he said.
At ITS, we've helped hundreds of businesses bolster their cybersecurity. From our experience, cyber liability insurance is a great safety net that can help your business mitigate the impact of cyber incidents. However, it should never be considered as your primary method of protection against cybercrime. Ensuring that you minimize your risk exposure will not only help you with your cyber policy it will also protect your business in the long run.
In this article, we'll help you understand how to prepare for a cyber insurance policy. To do that, we'll dive into the things you need to get ready before applying for one and why they are important.
6 Things to Prepare for Cyber Insurance
Preparing cyber underwriting information requires an organization to thoroughly and honestly assess its current risk exposure and potential vulnerabilities. The process will involve a lot of internal research to build a clear picture of cyber risks and how to manage them. But generally, this information can be broken down into six key categories.
Take a look below at some of the main things to look into and why insurers consider them important:
1. General Business Information
This category includes detailed information about your organization. Insurers might ask about the size of your company, annual revenue, what industry you are serving, and your products and services. This information helps them shape the profile of your business. It allows them to understand the extent of your exposure to cyber threats and to better assess what solution to offer.
Why is it important?
With this information, insurers can assess your potential exposure to claims and risks for first-party and third-party losses. While for your business, it can directly influence the amount you will be paying for coverage.
According to Reinmuth, that's because factors like what industry you serve or how much income you generate affect the level of risk involved in insuring your business.
"If you've got someone in a high-hazard industry, they're going to pay more, and maybe their cybercrime will be sub-limited. In other words, [insurers will] only offer $100,000 versus someone who's in a non-risky environment. [Businesses in lower-risk industries] might get $500,000 in cybercrime, and they're going to pay two or three times less," he said.
2. Information Security
The size and sensitivity of the data you keep is an important indicator of how much risk will be involved in insuring your business. The more data you have and the more sensitive they are, the more attractive they are for cybercriminals.
With that in mind, insurers will often ask whether you have the capability to keep track of and identify all your sensitive data. They will also inquire how you manage who gets critical access to networks and what policies you have in place to prevent data breaches.
Insurance carriers will also check if you are implementing measures like:
- Multi-factor authentication
- Email authentication measures
- Network partitioning
- And more
Why is it important?
How you manage and secure your data will inform the insurer of how you will fare in case of a cyber incident. It shows your potential risk for ransomware, data breaches, and first-party and third-party losses.
The measures you've taken to secure your data will directly influence how much you will need to pay for a policy.
3. Cybersecurity
This category involves all of the cybersecurity measures you have in place. Insurers are looking for organizations that actively participate in reducing their risks for cyber attacks. The more security measures you have in place, the better chances you have of getting coverage.
Why is it important?
Reinmuth explained that "security is driving the qualifications for these cyber policies. You don't have certain security; guess what, you don't get the policy anymore." He also shared that many insurers have begun to impose more stringent application processes concerning cybersecurity.
"Carriers are getting more aggressive on some of that stuff. They want EDR (Endpoint Detection and Response) and active threat hunting in place," Reinmuth said. "The more security and the better security you have in place, chances are, the cheaper your rate is going to be and the more coverage that you'll have," he added.
4. Security Awareness
Cybersecurity doesn't stop with the software and systems you have in place. There is a human component that is equally vital in reducing your risk for cyber attacks. This category is concerned about your organization's ability to raise cybersecurity awareness and conduct training for your team.
Why is it important?
In IBM's Cyber Security Intelligence Index Report, it was found that human error was a major contributing cause in 95% of all breaches. That's why insurers will want to check whether you conduct cybersecurity awareness programs and threat simulations regularly. If you do these things, it might indicate to an insurance provider that your organization has IT security embedded in your corporate culture.
5. IT Suppliers
Outsourcing IT and cybersecurity functions to a third party like a Managed IT Service Provider (MSP) does not remove the responsibility of an organization for managing associated risks. That's why this category looks at the quality and reputation of IT suppliers associated with your business.
Why is it important?
Preparing info on your IT suppliers will help insurers gauge the potential risks and impact your business might incur in a cyber attack. Insurers will want to know if your organization has mapped all outsourced cyber activities, with a list of the most relevant IT suppliers, as well as documentation about how outsourcing contracts are written and managed.
According to Reinmuth, there's a greater level of comfort when the insurer knows the IT provider well. He cited as an example when an organization and the MSP managing their technology choose to have the same carrier for their insurance policies.
"If [an MSP] has cyber insurance with techrug and [your organization] has insurance with techrug, there's no finger-pointing. We know that between the policies, one of them is going to activate and trigger, provided it's within the policy parameters. So, I think there's a level of comfort of having everything under one roof," Reinmuth said.
6. IT Update Management
How often do you update your devices, and is the process automated? Insurers may ask these questions to ensure that your organization keeps up to date and anticipates system end of life or maintenance. They will also check whether you have specific software that cannot be updated and if you have the corresponding controls to mitigate the vulnerabilities.
It might also be useful to specify if your organization's update management process is centralized and automated or if it relies on your team voluntarily and independently maintaining their own systems.
Why is it important?
Managing updates and obsolescence indicates how well your organization mitigates threats. Doing that well provides insurers a better picture of your capacity to face cyber risks.
Ready to Mitigate Your Cyber Risks?
Good preparation is the key to getting the protection your business needs from a cyber liability insurance policy. Making sure that you show how well you can mitigate your risk exposure can help you get lower rates and better coverage. So get started on conducting internal assessments and find out the key things you need to improve.
At ITS, we've helped hundreds of businesses spot network vulnerabilities and assess their cybersecurity capabilities. If you want to know how your organization measures up, fill out our form for a free security assessment.
