Every business today is facing the rigors of balancing maintaining business and cyber resiliency. And with that comes the pressing need to have not only a proactive cybersecurity strategy, but also cyber insurance coverage to meet the ever-growing demands of government regulations.
Even though we provide cybersecurity services ourselves, IGI must adhere to the same security standards as other businesses. We have to leverage several business insurance programs to bolster our overall business resiliency that dovetails into our cybersecurity posture. Also, like other businesses, we need to periodically go through review and renewal exercises related to maintaining and aligning our insurance programs with our approach to cyber.
As a result of our annual insurance renewal discussions, we’ve received some interesting feedback from our primary insurance provider that we feel is valuable to share:
1. Cyber liability insurance is getting harder to purchase and, in some cases, renew.
2. Cyber liability programs are becoming significantly more expensive.
The difficulty in acquiring cyber insurance and the increase in prices is directly linked to the increase in cybercrime and the resulting increase in claims. But, also, it's a result of companies not being prepared and up to date on their cyber programs.
Not only have cyber liability insurance providers changed their programs, but there is also a shift in the industry as both the insurer and the insured must be more vigilant in their approach. This includes the use of new phrases (at least, new to cyber insurance) such as “uninsurable” and “high-risk premiums.” Like any other insured asset, insurance companies are getting better at measuring exposure to risk as related to digital assets.
IGI recently reached out to our insurance provider partners and fellow business leaders, all who confirmed that their cyber liability premiums are on the rise. Companies with mature, executable cybersecurity programs and no claims are seeing increases starting at around 10%. Whereas companies who cannot demonstrate effective cybersecurity programs, or that have had repeat compromises, are seeing policy premium increases as high at 10x what they pay today—and some are being dropped by their provider completely.
As business leaders, what do we do now?
First, we need to recognize that the insurance providers, underwriters, brokers, and agents are not the villains here. In truth, I’ve personally been part of several cybersecurity incidents where I was amazed that the insurance company covered a client who clearly could have avoided their exposure by implementing simple, fundamental cybersecurity programs prior to their incident. We must be honest; at some point, we all knew that things were going to change. The actuarial tables used to calculate risk were going to mature to match the current threat environment. And that change is upon us.
Instead of relying on cyber liability insurance coverage to act as your cybersecurity program, organizations now need to build relevant, scalable, manageable cybersecurity programs that reduce reliance on cyber insurance. Cyber insurance is not cybersecurity.
Here’s my transparency statement: Don’t expect that your cybersecurity program is going to pay for itself through reduced insurance premiums. And cyber liability insurance should not be the driver for implementing cybersecurity programs. Remember, the purpose of implementing cybersecurity programs is to 1) Reduce and manage risk exposure, and 2) Build business continuity and resilience (reduce business disruption and barriers to growth). The formula is based upon simple principles: Protect your data, protect your clients, protect your employees, protect your core business.
Then, we purchase insurance as a financial stopgap. Let me put it in relevant terms. Buying cyber liability insurance as your cybersecurity program is like buying homeowner’s insurance so you don’t have to buy smoke detectors. When you have a fire, your homeowner’s insurance claim will not save your family. This may be a jarring comparison, but I hope it can drive my point home.
It should be quite simple: Build a manageable cybersecurity program, reduce your exposure to risk, and, therefore, control your cyber liability rates.
IGI Cybersecurity recently released our new cybersecurity leadership program called IGI CISO Team-as-a-Service (IGI CISO TaaS). The IGI CISO TaaS program is designed specifically to partner cybersecurity professionals with client leadership with the goal of building resilient, scalable, effective cybersecurity programs aligned with core business objectives. Contact IGI Cybersecurity for more information about IGI CISO TaaS and our suite of cybersecurity services.