July 26, 2024

Negotiate Your Next Cyber Insurance Policy With This 6-Step Playbook

TL;DR: Cyber liability insurance is essential, but premiums are increasing, and numerous exclusions exist. Important steps to lower premiums include preparation, articulating your risk, and demonstrating progressive improvement in security through measurable metrics.

Why Do Organizations Need Cyber Liability Insurance?

Cyber liability insurance has become an important component of every organization’s cyber strategy. There are several benefits, such as:

  • Financial and Legal Protection: Cyber liability insurance covers direct costs, business interruption, legal fees, regulatory fines, and third-party claims arising from cyber incidents, protecting your organization from significant financial losses.
  • Reputation and Response Management: Insurance companies’ provide resources for effective incident response, including access to cybersecurity experts and public relations efforts to manage reputational damage and ensure customer and stakeholder confidence.
  • Encourages Best Practices and Compliance: The insurance promotes the adoption of robust cybersecurity measures, helps maintain regulatory compliance, and enhances overall business resilience against evolving cyber threats.

The Main Challenge: Rising Premiums

While cyber insurance is essential, one of the primary issues is the rising cost of premiums. Insurance companies adjust their rates accordingly as ransomware, data breaches, incidents, and insider threats become more frequent.

Rising Cyber Insurance Costs Chart
Change in cyber insurance % year over year

Due to these escalating costs, organizations find it harder to afford coverage, especially small and midsize businesses, where a single incident could have a catastrophic impact. Another significant challenge is the dynamic nature of cyber threats. New vulnerabilities and attack vectors are continuously emerging, making it difficult for organizations to understand their footprint and liability.

Identify What You Can Control

Insurance rates for cyber liability policies are influenced by various factors. Rates tend to increase due to the rising number of ransomware attacks and data breaches, which result in substantial financial losses for insurers as they cover the costs associated with these incidents.

Conversely, rates can be lowered when companies provide evidence of security controls, demonstrate robust risk management practices, and showcase a security roadmap. Beyond these basic strategies, our customers, such as Carvana, have leveraged these specific tips and tricks to reduce risk.

Playbook to Reduce Premiums

Six-Steps-Cyber-Insurance

We collected six actionable suggestions that you leverage with your underwriters. Ultimately, every underwriter wants to make sure that you will not file a claim in the next 12 months, and these tips will provide them that confidence:

    1. Functional Org Chart: Take the time to help underwriters understand your security organization. Include information about the number of people on your security team and their roles, responsibilities, backgrounds, and skills. Visually represent in a functional org chart how you are organized – for example, if you have an application security team identify the areas included in their scope, such as bug bounty program management, threat modeling, penetration testing, source code scans, etc. Don’t forget to include information about third parties that supplement your internal information security team, such as a managed security services provider that provides Tier 1 support for your Security Operations Center.
    2. By the Numbers: It is important for underwriters to understand the scope of your information security program in the context of your business. Include business metrics like annual revenue, customer base, trademarks, and patents owned. Articulate your attack surface by including the number of users, f endpoints, servers, applications, code repositories, databases, cloud subscriptions, personally identifiable information (PII) records, etc.
    3. A Year Lookback: Provide context on what your team has accomplished through quantifiable metrics. As an example, include a trend line that shows how your breach likelihood changed over the last year (hopefully going down) Use additional security tools that measure your security posture from an external perspective to help underwriters verify that appropriate controls are in place.
    4. Prioritized Security Initiatives: Provide a roadmap that includes the top 5 to 10 security initiatives to reduce the risk for the year and provide context on the status of each initiative (e.g. Is the initiative completed? Is the initiative targeted to be completed by the end of the year? Is it a multi-year, multi-phased project?
    5. Key Focus Areas: If you are renewing your cyber insurance policy and you have an existing relationship with your underwriters, outline progress made against any areas that were discussed last year to demonstrate progress. For example, if you had several end-of-life operating systems in your environment, describe how you have reduced them. Similarly, if you had several critical vulnerabilities open, show how that has changed and explain the steps you have taken to address them. This shows you have been listening to their feedback and making progress.
    6. Security Technologies (or Controls): Visually represent and show your security controls by either showing it visually as a layered onion using the OSI layers or by using a table (see example below) to display your holistic information security controls and protections to mitigate risk. See the slide below for an illustrative example.Information-Security-Controls

Understanding Exclusions and Gotchas

One of the most critical aspects of cyber insurance is understanding the exclusions in your policy. Exclusions are specific conditions or scenarios not covered by the insurance. Here are some standard exclusions to watch out for:

Acts of War and Terrorism

Exclusion: Many cyber liability policies exclude coverage for damages resulting from acts of war, terrorism, or state-sponsored attacks.
Surprise Factor: Given the increasing frequency and sophistication of state-sponsored cyberattacks, businesses might assume they are covered, only to discover that such incidents are excluded.

Insider Threats

Exclusion: Claims arising from intentional malicious acts by employees or insiders may be excluded.
Surprise Factor: Many businesses focus on external threats and might not realize that their policy doesn’t cover damages caused by insiders, who can sometimes be the source of significant breaches.

Pre-Existing Vulnerabilities

Exclusion: Coverage may be denied for incidents resulting from vulnerabilities or exposures the company knew about but failed to address.
Surprise Factor: Companies may be unaware that failing to patch known vulnerabilities can void their coverage, leaving them exposed after an incident occurs.
Understanding these exclusions can help you be more informed and avoid unnecessary hassle during the claim process (should one arise).

How Balbix Helps

Balbix CISO GRC Dashboard

Balbix plays an important role in providing access to lower premiums and greater insurance coverage. Here’s how Balbix can assist:

  • Understand Your Attack Surface: Balbix provides a comprehensive view of your attack surface, including internal/external facing assets, applications, cloud, and IoT. More importantly, Balbix layers on business impact and context that help communicate the impact of a breach.
  • Prioritize and Remediate Vulnerabilities: Balbix helps prioritize vulnerabilities and exposures based on risk, ensuring that the most critical issues are addressed first.
  • Quantify Risk for Underwriters in Monetary Terms: Balbix quantifies risk in monetary terms, providing clear and understandable metrics for underwriters. This helps in communicating the value of your security measures.
  • Demonstrate Progress Through Metrics: Balbix offers out-of-the-box metrics such as mean time to remediate (MTTR) and mean-vulnerability open rate (MOVA). These metrics showcase your efforts and progress to insurers, potentially leading to lower premiums.

Conclusion

If any of this interests you, sign up for a 30-minute demo to learn how we can help you reduce your insurance costs and what Balbix can do for you.