As cyber criminals mature and advance their tactics, small and medium businesses become the most vulnerable because they lack the capacity – staff, technology, budget - to build strong cyber defenses. SMEs can quickly become easy targets for criminals wishing to target larger enterprises through complex supply chains.
The necessity for cyber-insurance coverage
With businesses becoming more and more digitized, they are exposed to greater cyber risks. And while organizations are taking steps to protect against cyber attacks, cybersecurity controls are not impenetrable. With cyber attacks amounting to a question of when and not if, cyber insurance becomes crucial for ensuring business continuity and mitigating the business impact of attacks – should they occur.
Cyber risk insurance covers the costs of recovering from a security breach, a virus, or a cyber-attack. It also covers legal claims resulting from the breach. According to the Sophos 2022 State of Ransomware report, 83% of mid-sized organizations had cyber insurance that covers them in the event of a ransomware attack.
Compliance is another important reason for getting a cyber insurance. All companies are subject to state-specific data breach laws for collecting, processing, and storing personal data. Cyber insurance can help cover costs to comply with state, federal, and international laws as well as cover regulatory fines and penalties. Overall, having cyber insurance coverage is a demonstration of due diligence.
When you buy a cyber risk insurance, its applicability is global, however jurisdiction for solving disputes is determined in the terms and conditions of the contract. Much like any other type of insurance you can buy, cyber insurance companies offer a variety of policies with varying levels of coverage depending on your organization’s risks.
Essential security controls to get cyber insurance
Insurers don’t want to lose money and are doing their due diligence to investigate a company’s cybersecurity practices before insuring them. When you contact a cyber insurer to discuss the potential of getting an insurance coverage, they will first assess your current cybersecurity posture. If your posture is considered too risky, then you will most probably be denied insurance.
“During their assessments, insurance companies look for four critical security requirements, the lack of which are a no-go for further discussions,” says Nikos Georgopoulos, Cyber & Information Privacy Risks Insurance Advisor at Cromar.
You can ensure insurance coverage and even reduce premiums if you are implementing good cyber security practices - starting off with multi-factor authentication – in order to avoid a breach. Both you and your insurer want the same thing; for you not to experience a cyber incident.
The following checklist is a starting point for making sure you qualify for cyber insurance.
|Checklist for Getting Cyber Insurance Coverage
|Regularly back-up critical data and test to ensure these back-ups are recoverable
|All organizations should take regular back-ups of their critical data and make sure that these back-ups are recent and can be restored. You can ensure business continuity following the impact of a cyber-attack, accidental deletion, physical damage, or theft of data. Furthermore, if you have recoverable back-ups of your data, you are less likely to be successfully blackmailed by ransomware attackers.
|Use multi-factor authentication (MFA)
|“MFA is one of the most important cybersecurity practices to reduce the risk of intrusions—according to industry research, users who enable MFA are up to 99 percent less likely to have an account compromised,” notes a CISA advisory. MFA is recommended or required by several regulations and is a pre-requisite for getting a cyber insurance. Even if a business has met all other requirements, they will have a difficult time getting an insurance if they haven’t deployed MFA.
|Do not allow remote access into corporate network without a virtual private network (VPN)
|Attackers are regularly “port scanning” the entire internet for visible remote-access services such as Microsoft’s Remote Desktop Protocol (RDP). Any open RDP services will be constantly probed for weaknesses so hiding your remote-access services behind a VPN which is protected with MFA will afford a good level of protection against these attacks.
|Provide regular and at least annual cybersecurity awareness training
|Your staff are at the frontline of your organization. They are constantly exposed to electronic communications with third-parties that may leave them open to attack. Even though technical security measures may afford some level of protection, it is still essential for them to be aware of the risks. Training will help them identify cyber risks and hopefully prevent them from impacting your organization in the first place
The impact of cyber insurance coverage on an organization’s security posture can be immense. The Sophos ransomware report states that “97% of organizations that have cyber insurance have made changes to their cyber defense to improve their cyber insurance position. 64% have implemented new technologies/services, 56% have increased staff training/education activities, and 52% have changed processes/behaviors.”
“No MFA, no cyber insurance”
MFA is at the heart of cyber insurance. “No MFA, no cyber insurance,” notes Nikos Georgopoulos. Therefore, when selecting the right MFA partner, you should select a solution that offers:
- A choice of authentication methods, including phishing resistant methods such as FIDO and PKI-based MFA.
- Flexibility and scalability.
- Lower overall implementation and running costs.
Thales SafeNet Trusted Access provides a wide range of MFA methods and offers a stronger authentication portfolio that is adapted to customer’s authentication journey, supports more use cases at a lower price and integrates easily into the customer’s environment.
SafeNet Trusted Access enables organizations to protect enterprise applications and scale securely in the cloud with a broad range of authentication capabilities, while ensuring security with Smart SSO and policy-driven access controls.