By Steve Brining, TRU Partner Technology Evangelist at Acronis
As cyber threats continue to evolve and escalate, cyber
insurance has become essential for businesses to safeguard themselves against
the financial risks associated with data breaches, ransomware attacks, and similar
vulnerabilities. The goal of cyber insurance is to help organizations recover
from the financial costs associated with these incidents such as legal fees,
regulatory fines, data recovery expenses, and business continuity losses.
While cyber insurance can be a valuable safety net, it's not
a catch-all solution. Insurers typically expect businesses to maintain strong
cybersecurity measures as part of the policy requirements. Failure to do so may
result in reduced coverage or claims being denied altogether. In other words,
it's not just about transferring risk to the insurer-it's about sharing the
responsibility to ensure both parties are actively engaged in managing
cybersecurity risks.
With that in mind, let's dive into the critical factors you
need to consider when assessing the value and impact of cyber insurance.
Risk Transfer Versus Shared Risk
Cyber insurance is often misunderstood as a risk transfer
tool or a safety net that businesses can fall back on in the event of a
cybersecurity incident, but in reality, it's much more nuanced. Cyber insurance
is a risk-sharing arrangement between organizations and insurance companies,
not a complete shift of responsibility.
If a company thinks that having cyber insurance
automatically means they are fully protected, they are missing a crucial point:
insurers won't pay out, either partially or in full, if the business hasn't
done its part to mitigate risks in the first place. Insurance companies will look
closely at whether or not the minimum required security best practices were
followed. If not, organizations can expect lower payouts or even a denial of
the claim altogether.
Cyber insurance isn't meant to absolve businesses of their
cybersecurity responsibilities but is meant to complement them. Just like the
shared responsibility model many cloud providers follow where both the vendor
and the client share in securing the environment, cyber insurance requires
businesses to actively engage and collaborate in robust security practices to
effectively manage their risks.
The Essential Eight
The Essential Eight is a cybersecurity framework developed
by the Australian Cyber Security Centre that was developed to prioritize
mitigation strategies to help organizations protect their IT infrastructures.
If proactively implemented, it can have a significant impact on cyber insurance
by potentially lowering premiums for organizations that adopt it. By
demonstrating a proactive approach to managing cyber risks, it helps reduce the
chances of costly incidents and insurance claims.
The mitigation strategies that make up the Essential Eight include
application control, patch applications, configuring Microsoft Office macro
settings securely, user application hardening, restricted administrative
privileges, patch operating systems, multi-factor authentication, and regular
backups. Cyber insurance companies use this framework to assess risk levels and
determine premiums by considering how well a company implements these eight key
security controls. The idea is to encourage businesses to prioritize
fundamental cybersecurity practices to qualify for lower insurance costs and
coverage.
The Impact of Cyber Insurance on the Threat Landscape
With cyber insurance becoming more common, it is important
to consider the effect it is having on cyberattacks. In a scenario where two
small businesses, one with cyber insurance and one without, face a ransomware
attack, the likelihood of a payout differs significantly if one has cyber
insurance. For the company that lacks insurance, attackers may realize there's
little financial gain to be made since the company might go out of business or
can't afford to pay the ransom. However, for the company that has cyber
insurance and follows best practices, the attacker stands a better chance of
getting a payout from the insurance company. As more businesses continue to adopt
cyber insurance, criminals may increasingly target insured businesses as there
could be a higher probability of financial gain.
As cyber threats continue to evolve, businesses must
recognize that cyber insurance is not a substitute for strong cybersecurity
practices, but rather a vital complement to them. While cyber insurance can
provide financial recovery in the event of an attack, it does not guarantee
full protection. Implementing frameworks like the Essential Eight is a good start,
however insurance companies may also ask for additional security measures like periodic
penetration testing, vulnerability assessments, security awareness training,
network security controls and other risk mitigation measures as part of
underwriting requirements or to lower premiums. Further, as the prevalence of
cyber insurance grows, businesses must understand that the evolving threat
landscape makes them prime targets for cybercriminals seeking financial gain.
Ultimately, the most effective approach to cyber risk management is a collaborative
partnership between businesses, cybersecurity vendors, and insurers, working
together to protect against sophisticated cyber threats.
##
ABOUT THE AUTHOR
Steve Brining (CISSP) is a cybersecurity evangelist at Acronis. He honed his skills for more than 25 years as a cybersecurity expert at PatchLink, McAfee, BeyondTrust and other technology companies. He holds Master's degrees in business administration in e-business and a Master's in technology and innovation management with specialization in cybersecurity. He is a commanding officer in the Arizona Army National Guard.