Since 2019, the cybersecurity insurance market has seen significant growth. The surge in demand for cyber insurance policies was driven in part by low rates and broad coverage terms, often underwritten with minimal due diligence. More recently, the cyber insurance landscape has changed. Cyber threats have become more sophisticated and more frequent. As a result, insurers are necessarily reevaluating the risk and challenges associated with cyber insurance.

As global cybercrime costs are expected to exceed 10 trillion dollars in the next two years, the cyber insurance market is taking steps to minimize risk and more effectively manage losses. For organizations seeking cyber coverage, expect insurers to assess cybersecurity practices and readiness. At a minimum, the following security practices will need to be in place:

• Multifactor authentication (MFA) is a security mechanism that adds an extra layer of protection to digital accounts and systems. By requiring two or more factors for authentication (password, biometric data, smartphone verification, token, etc.), MFA makes it more difficult for unauthorized individuals to gain access to sensitive information or systems. Insurers view MFA as a basic requirement that helps mitigate the risk of password theft, phishing attacks and other forms of identity fraud. Furthermore, MFA acts as a safeguard against unauthorized access to valuable digital assets.
• Air gap backups are another important strategy for reducing the risk of cybercrime and protecting valuable data. Having a secure and independent backup, physically isolated from the internet and network-connected devices, ensures that even if a cyber attack occurs, a business will have a copy of their systems and data that remains untouched and unaffected. The cyber insurance market sees an air gap backup as a way of creating a physical barrier that acts as a defense against loss from a ransomware attack or data breach. In addition, an air gap backup reduces the risk of downtime and reputational damage.
• Encryption is another “standard” practice that insurance companies look for when it comes to reducing the risk of cyberattacks and protecting sensitive data. By encrypting data, even if an attacker manages to access sensitive information, they would not be able to make sense of it without the appropriate decryption key. From a cyber insurance perspective, encryption is a necessary step for securing data during storage and transmission, serving as a proactive means to reduce the risk of data breaches and unauthorized access.
• Patch scheduling is also a strategy for reducing the risk of cyberattacks by ensuring software and systems are up-to-date with the latest security patches and updates. Cyber insurance companies assess a business’ preparedness and ability to respond quickly to identified vulnerabilities that could otherwise be exploited to gain unauthorized access or launch malicious activities. A regular patch/maintenance schedule and the ability to respond immediately to critical vulnerabilities is essential to maintaining compliance with certain industry regulations and standards and is often a prerequisite for obtaining a cyber insurance policy.

As the costs associated with cyberattacks continue to rise, the above practices have become baseline requirements for underwriting cyber insurance practices. While these cyber insurance “table stakes” represent standard security practices, organizations that adopt a more holistic and comprehensive approach to fortifying their cybersecurity posture will often be able to lower their cyber insurance premiums. In our next blog post, we will delve into strategies that harden your security posture and reduce cyber insurance premiums.