Cybersecurity is a challenge that cannot be solved completely or simply checked off an organization’s to-do list. It is continuous work that requires a multi-faceted approach to reducing and managing any associated cyber risks.
One approach for managing cyber risk is cyber insurance, although many organizations are now questioning the feasibility of insurance given the recent changes in the insurance market.
Over the last 12-to-18 months, the cyber insurance market has shifted significantly. Generally, it has become more expensive to purchase cyber insurance – and those pricy premiums now offer some organizations significantly less coverage than before. In some cases, organizations are now paying multiple times more for cyber insurance than they paid in recent years, and yet they are receiving substantially less coverage.
As for why cyber insurance is becoming pricier and providing less coverage for certain organizations, there are many factors, some of which include:
- Cyber criminals are becoming increasingly skilled at defeating the various protections that organizations have deployed, while also continuing to take advantage of human errors through phishing and ransomware attacks
- Insurance companies are facing a much higher likelihood of claims and those claims are also likely to be more costly as these cyber incidents are larger and more impactful on organizations
- Evaluating how well a cybersecurity program protects an organization and reduces risk is difficult to calculate and there is no universally agreed upon standard for that type of evaluation
As such, this makes pricing cyber insurance difficult for the insurance companies. Therefore, insurers have reevaluated their risk tolerances and calculated that this increased risk means they have more potential exposure, which in turn drives the higher costs that are then passed along in the premiums.
Many organizations feel helpless against the surging cost of cyber insurance, wondering if there is anything they can do to combat the increasing premiums and decreasing coverages. Whereas in the past, organizations were likely willing to absorb the reasonable price of cyber insurance because it was an easy cost justification, now organizations are thinking about risk management more strategically by asking the questions, “How much actual risk mitigation are we getting?” and “Is cyber insurance worth it at this price point?”
The good news is that there are methods that organizations can employ to continue investing in their cybersecurity program. These activities should help reduce cyber risk and may even help maintain cyber insurance coverage levels from prior years or may limit the increases in premiums.
People, processes and technology
On a foundational level, an organization’s cybersecurity program should consist of a three-pronged strategy focused on people, processes and technology. Organizations cannot buy some fancy security tools and expect that technology to stop cyber attacks. Rather, they need to invest in all three facets for their cybersecurity program to be effective. The technical tools to protect your systems and monitor your weaknesses are necessary, but also needed are the people to implement those technologies and manage them, all while following well-constructed processes to help everything run effectively.