As Cyber Insurance Claims Soar, Businesses Need to Demonstrate a Standard of Care

As Cyber Insurance Claims Soar, Businesses Need to Demonstrate a Standard of Care
Written by Brian Thomas
Manager, Content Marketing

Hardly a day goes by without the emergence of a disturbing new trend in cyber crime or headline-grabbing hack. Hackers are getting smarter and threat vectors are constantly evolving. The escalating threat is forcing businesses to file more cyber insurance claims than ever. But are they taking the proactive steps necessary to boost their security postures and become a better underwriting risk?

Cyber insurance claims double

According to a new study by AIG, claims frequency has spiked significantly. In 2018, there were as many cyber insurance claims as the previous two years combined, with business email compromise (BEC) overtaking ransomware as the primary claim.

Clearly, cyber insurance is fast becoming a “must-have” for any organization. However, because cyber incidents are becoming more complex and costly for insurers to investigate, companies are under increasing pressure to demonstrate a high standard of care when it comes to their security and third party management programs.

Insurers are careful to provide coverage to a business that is not aware of its own cyber security risk posture. Therefore, in seeking cyber insurance or filing a claim, companies must demonstrate that they are doing everything they can to protect themselves from attacks.

Here are some tactics that businesses can take to gain the trust of underwriters and protect themselves from the rising cost of cyber crime.

Adopt a hackers viewpoint

Organizations must work towards a greater understanding of how hackers see their network, including its systems, high-value targets, and vulnerabilities. By thinking like a cybercriminal and seeing what they see, organizations can better anticipate attacks before they occur.

To adopt this viewpoint, organizations must be more vigilant in visualizing and quantifying the performance of their cybersecurity program. With a better understanding of how their security apparatus is performing, organizations can also demonstrate a standard of care to their insurer which is beneficial in the event of a breach or compromise.

Be diligent with vendor selection

Currently, 59% of breaches originate with third-party vendors. Yet, organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains because they lack transparency into the security posture of these partners. This blindspot of their enterprise security risk can cause them to fail to secure the right level and type of insurance coverage.

How Bitsight Helps you get insurance coverage

The average cost of a ransomware attack is $1.85 million and 22 days to recover. If you’re looking for cyber insurance coverage to protect yourself, download our ebook to learn how to strengthen your cybersecurity program to influence coverage.

Rather than be handicapped by their inability to identify risky vendors and potential third-party vulnerabilities, organizations can use security ratings to quickly identify risk in their digital supply chain and help put procedures in place to protect their organization from an attack and demonstrate due diligence to insurers.

Turn the C-suite’s gaze beyond the headlines

In a dynamic threat environment, it’s all too easy for the C-suite and Board of Directors to get distracted by the latest headlines and steer resources in a reactive manner. But risks are always changing - today it’s phishing scams, but tomorrow it may be something else. Executives can’t afford to lose sight of the long term threat picture, or else risk a significant hit to their organizations’ reputations or heavy fines.

CISOs must look beyond the four walls of the SOC and build bridges with other stakeholders, including the CEO, CTO, and legal counsel, to clearly and succinctly articulate how cybersecurity impacts their organization and the value and limits of their cyber insurance program. Simultaneously, CISOs can’t be insulated, either; they must be continually vigilant about potential risks that may fall outside of their purview.

Don’t turn insurance into a catch-all

Cyber insurance has become a necessary component of doing business, but it can’t be a catch-all. Companies still need to be proactive in their approach to security, less insurance fails to adequately cover their risk exposure. Organizations must show the insurers that they’re serious about security by implementing a prolonged and proactive approach to risk management.