Cyber insurance: The 5 Things Your Managed Service Provider is Afraid to Tell You to Save Your Business

Here are the 5 Things You’ll Wish You Knew About Cyber Insurance Before You’re Breached

 

According to Cybercrime Magazine’s 2022 Cybersecurity Almanac, more than half of all cyberattacks are committed against small-to-mid-sized businesses (SMBs), and 60 percent of them go out of business within six months of falling victim to a data breach or hack. Though these are not the type of odds you want to gamble on, they do provide a compelling reason why you should invest in cyber insurance. Not only will you sleep better knowing that you’re protected against bankruptcy should you experience a breach, but you’ll also be required to comply with certain regulations that will help reduce your risk consistently over time.

If you’ve ever wondered whether cyber insurance is really necessary for your business, you’re definitely not alone. That short answer is yes you do. Here’s why:

In 2021, Cybersecurity Ventures, estimated that an organization suffered a ransomware breach every 11 seconds. By 2031, it’s expected there will be a new infiltration on a consumer or business every two seconds. As a result, business owners are feeling the strain not just in their technology, but also in their wallets.

However, not all cyber insurance policies are created equal. This is why you need a technology expert who can guide and assist you through the insurance process.

That’s why we’ve compiled a short FAQ to get you the information you need to make the right decision when it comes to your cyber insurance.

Why do I need cyber insurance?

In a nutshell, the sheer quantity of cyber threats and their evolving complexity make it hard for even cybersecurity experts to guarantee that you’ll never be breached. Unfortunately, these days, being breached is no longer a matter of if, but when.  Even best in class cybersecurity tools and services can achieve only 90-95% protection, as your weakest link is the human element…your staff.

Typically, cybercriminals will gain entry to your IT systems for up to an entire year before they make their presence known. The longer they’re in your environment, the more damage they can and often will do. To prevent long-term, permanent damage, you’ll need to actively invest in implementing a robust cybersecurity maturity program in your organization as well as acquiring cyber insurance.

To be clear, cyber insurance is intended to make a policy holder whole again following a cybercrime event, covering costs a general liability insurance policy WILL NOT cover.  These include:

  • Business interruption
  • Litigation expense
  • Regulatory defense
  • Crisis management
  • Cyber extortion
  • Breach remediation

Cyber insurance helps cover the costs of breach remediation, which is awfully expensive depending on the extent of the damage. Most managed IT Services providers (MSPs) do NOT include the costs of breach remediation in their fully managed plan agreements. This means that breach clean-up will be billed similarly to an hourly, project-based service, which means you’ll be charged a premium.

How do I qualify for cyber insurance?

Qualifying for insurance has taken on a whole new meaning in the past two years due to the pandemic and the explosion of cybercrimes. During this time, the cyber insurance landscape has transformed exponentially. The days of the self-answered insurance survey questions such as “Do you have an anti-virus or email protection?” are long gone. These days cyber insurance demands strict adherence to their cybersecurity requirements and verified controls in place to be eligible for coverage in the case of a cyber-attack and fallout.

Here are some examples of the types of qualifying questions an insurance carrier may ask you today. (Please note that each carrier may differ slightly so be sure to contact them directly for their eligibility requirements):

  • Do you have Multi-Factor Authentication (MFA) on a Cloud-hosted email?
  • Do you have MFA on all points of entry into the environment?
  • Do you have MFA on admin access to servers?
  • Does your staff have admin rights to their local workstations?
  • Do you have EDR-based endpoint security?
  • Are you performing regular security awareness training for your employees?

Due to enormous costs involved in remediating cyber-attacks, it’s in insurance companies’ best interest that their clients do everything in their power to protect their businesses. This is the reason they require companies to meet their eligibility requirements.

What determines the cost of your cyber insurance premium?

Insurance carriers cover two primary areas when calculating the cost of your premiums.

The insurance carrier will ask for more info on these specific components of your company:

  • Your company’s annual revenue – The higher the revenue, the higher the premium.
  • Your total number of employees – Same requirements as your company’s revenue. Your company’s risk increases as your number of employees increases.
  • Your company’s industry– Depending on the risks that your industry faces, some insurance companies will charge you a higher premium or will opt not to insure you at all.

The insurance carrier will require your company to conduct a self-audit that identifies current cybersecurity gaps and vulnerability risks, only for preliminary quotes.

  • The self-audit will include verifying what type of cybersecurity controls you have in place in your business. Cybersecurity controls significantly improve your security posture, making it harder for bad actors to compromise your network.
  • It’s important to be honest and transparent on your self-audit. If the insurance provider doesn’t believe your audit, they have and will use software tools to generate a more accurate risk assessment of your business.

After the insurance carrier has collected the above data, they’ll calculate your insurance rate premium, however, before the carrier issues a policy many are now requiring a formal technology audit of the environment using sophisticated assessment tools. 

What happens if your business fails to comply with an insurance carrier’s requirements?

If you haven’t implemented the required cybersecurity controls, you’re hurting your business in three ways.

  • You’ll be at a much greater risk of a cyberattack and/or breach.
  • You’ll pay a higher premium.
  • You’ll lose your cyber insurance coverage OR when you attempt a claim you be denied.

When looking for a cybersecurity insurance policy and partner, it’s vital to be open about your current cybersecurity standing. Hiding or masking the truth of your security standing only hurts your business. Remember, insurance companies have ways to assess the accuracy of your claims and will either refuse to take you as a client or they’ll refuse to pay claims if a breach occurs.

If you know you need to work on putting all or better cybersecurity controls in place, let the company know you’re working on it. Then, remain in regular communication with them so they know when you’ve met them. In order to achieve and maintain compliance, it’s extremely helpful to have a strong relationship with your IT department or managed IT Services provider.

To get the cybersecurity insurance you need, you must have the proper cybersecurity controls in place.

As we mentioned before, security insurance companies will not service you if you do not already have these controls in place. The reason is that cybersecurity controls dramatically reduce your overall risk. Cyberattacks and breaches are not only expensive for your business but also for insurance companies. From a bigger picture, investing in cybersecurity controls in the first place will save you and the insurance company tons of money, not to mention reputation damage, lost customers, and anxiety level stress.

Examples of cybersecurity controls include multifactor authentication (MFA), limit admin rights, EDR security, security awareness, and cyber policies that are implemented companywide for all employees. Every business needs all these components. Cybersecurity isn’t an a la carte affair. You need to constantly monitor your IT environment to identify and remediate any threats.

Controls are the backbone of your cybersecurity maturity program and are continuously evolving to defend against rapidly changing cyber threats. Therefore, it’s important to work with your IT provider to make sure that you’re consistently investing and implementing the right cybersecurity controls to protect your business. Learn more about cybersecurity controls here.

If you need help implementing better cybersecurity controls to protect your business, click here to learn how we can help.