Page 50 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 50
Not only has the rash of ransomware attacks sent cyber insurance premiums soaring, it’s also affected
the coverage that some insurers are willing to offer. In May, French insurance giant AXA announced it
would no longer write policies that reimburse ransomware victims – and were immediately hit with a
retaliatory ransomware attack – while other insurers are declining to take on new clients, or capping their
coverage at about half of what they used to offer.
How can you lower the cost of your cyber insurance policy?
A wide range of factors can impact your cyber insurance premium, including the size of your business
and its annual revenue, the industry you operate in, and the type of data you have access to.
But in much the same way that a high-risk driver will have to pay more for car insurance, the Howden
report found that insurers are demanding more from business’ cybersecurity, and will charge
organisations that are more likely to fall victim to a breach a higher premium – or refuse to insure them
altogether.
This is in line with a recent letter from the Insurance Council of Australia to the Department of Home
Affairs, in which the Insurance Council wrote: “Insurance underwriters place a strong focus on a
customer’s risk management and security culture when reviewing, assessing and pricing the risk.
Effective risk management, including a strong internal security culture, can be the most effective defence
against threats.”
This might seem like a no-brainer, but it hasn’t always been this way. In the past, insurers might have
just asked potential clients to fill out a questionnaire about their cybersecurity practices, and taken them
at their word that their house was in order.
In today’s environment, however, these insurers are partnering with outside firms to vet potential clients’
cybersecurity protocols, and demanding to see evidence that they have appropriate controls in place and
are following best practices, including using multi-factor authentication, implementing zero trust policies,
and backing up and encrypting their data.
For instance, the IBM and Ponemon report on the cost of data breaches found that organisations using
high standard encryption – at least 256 AES, at rest and in transit – had an average breach cost that was
29.4 per cent lower than organisations using low standard or no encryption. Insurers, who are likely to
be aware of that data, might then offer broader cover and better pricing to organisations that can
demonstrate they’re using strong encryption technology.
Companies who take a proactive approach by providing cyber security education for all employees,
including advice on how to identify suspicious emails and requests, are also likely to be looked upon
favourably by insurers.
“Carriers… are demanding extremely high cyber security standards,” says Shay Simkin, Global Head of
Cyber at Howden.
50