In Q1 2022, the average cyber insurance premium price went up by 28% compared to the previous quarter. The reasoning for this is not difficult to figure out — the number of data breaches for 2021 was well over the total for 2020, despite 2020 being itself a record year for cyber attacks because of the COVID-19 pandemic.
The nature and scale of the attacks also became far more alarming in 2021. The Colonial Pipeline hack demonstrated to everyone just how connected we all are to the grid, and how a single attack can bring down an enormous swath of infrastructure.
The average cost of a data breach in the United States is the highest in the world, sitting at a whopping $9.44 million.
To mitigate those costs, cyber insurance has grown into a major industry, but now the industry is tightening its purse strings due to the sheer onslaught of cyber attacks.
Fortunately, there is something companies can do to obtain cyber insurance at the best possible price: Discover and close off security vulnerabilities through an effective Cybersecurity Risk Assessment Program.
What is a cybersecurity risk assessment?
An organization is most likely to be attacked at its point of highest vulnerability. A cybersecurity risk assessment helps you establish where these points of vulnerability are, and provides solutions to strengthen these areas of weakness.
There are many types of attack vectors that cybercriminals can leverage to gain access to your computer's network. This spans the entire gamut of mechanisms from direct hacking to fraudulent emails to direct contact with your employees.
The criminal tool set is constantly growing, but some attack vectors are more popular than others. Verizon's 2022 Data Breach Investigations Report revealed that 82% of all compromises involved the human element. That means that some form of social engineering was used.
The most common way this is done is through phishing emails — fraudulent emails that trick users into sharing sensitive information such as login credentials.
The tragedy of such attacks is that they are entirely preventable, and a properly done Cybersecurity Risk Assessment would be the first step to determining where the point of greatest weakness is. For example, a properly configured email spam detection system could catch the vast majority of such fraudulent emails. Also, a simple training program could help employees better understand these types of attacks and so greatly reduce the chances of them falling prey to one.
Other key areas that a properly done cybersecurity risk assessment would look at include:
- A company's digital footprint — how much information you leave trailing behind you on the web that cyber criminals could leverage to attack your network.
- Patch management — how well you keep your network and computers patched with the latest critical security updates.
- Website security — this is an enormous topic that covers all aspects of potential attacks through your website. Website security is even more important for companies that store customer information online such as e-commerce stores. A breach of an e-commerce website could mean direct access to customer records which could lead to hefty fines.
- Attack surface — this determines the overall potential area of attack for your network. Do your employees log in remotely to the company network? Are you using cloud services? Properly assessing your overall attack surface, as well as making sure that the entire surface is as secure as possible, is vital to establishing a robust security posture.
- Reputation monitoring — although not commonly considered a cybersecurity issue, maintaining a positive reputation is vital to reduce the chances of being attacked as part of some socially or politically motivated hacktivism campaign.
There are several other key areas that should be looked into in-depth when performing a cybersecurity risk assessment, especially various potential technical weaknesses. It goes without saying that the company performing the cybersecurity risk assessment should have a full and comprehensive knowledge of all potential attack vectors and how to protect against them.
How can cybersecurity risk assessments reduce your insurance premiums?
Insurance providers are in the business of risk. The lower the risk, the more likely they are to cover you. The higher the perceived risk, the more money they'll demand in premiums. It's a numbers game.
"Left of Bang" is a term that was popularized by the US Marine Corps and refers to everything that occurs before an attack (which is considered the bang). This would include all proactive measures taken to prevent an attack.
The more measures a company takes left of bang, the more likely an insurance provider is to consider that company a lower risk.
Predictability is an important Left of Bang activity that insurers place great value on. The ability to predict attacks and prevent them is crucial to lowering risk. Tools that can help predict potential attacks are things such as Endpoint Detection and Response (EDR) that constantly monitors an organization's endpoints (laptops, mobile devices) for suspicious behavior. The EDR can then take immediate automated action or recommend action based on what it finds.
Other factors that insurers consider vital when considering whether to insure you, and at what premium, are:
- Susceptibility to phishing
- Attack history — has your organization been hacked previously? Were there credentials leaked to the internet for your organization in the last 90 days?
- Does your company have a high-severity vulnerability due to an out-of-date system?
- Are any of your critical ports publicly visible?
A proper cybersecurity risk assessment not only provides insurance companies with all the necessary information to show that your company is not seriously vulnerable, but it also shows you what needs to be addressed to make a stronger case to the insurance company.
Get an expert cybersecurity risk assessment from Hammer IT Consulting
Hammer IT Consulting has extensive experience in delivering comprehensive cybersecurity risk assessments that review all potential areas of vulnerability. We then provide you with suggestions on how to fix these vulnerabilities so that you can take proactive action before applying for cyber insurance.
Even when you have hardened every possible area of your organization's security posture, there is still the remote possibility that you might be hacked. That's why obtaining cyber insurance is so vital. Recovering a cybersecurity risk assessment is the smartest way to get the best value for money with your cyber insurance.
We have been working with Cyber Insurance Providers to help determine the risk coverage for their clients by utilizing our unique approach to the Cybersecurity Risk Assessment. Specifically, our service identifies key areas of risk, including financial, ransomware, compliance, and overall technical risk. Essentially, our assessment looks at your organization "from the outside," using the same information that criminal hackers have access to in order to discover your cybersecurity weaknesses and vulnerabilities.
Our approach is to quantify the risk, and translate risk levels to a dollar amount so that underwriters can better define risk thresholds with each policyholder.
This improves cyber insurance pricing in two ways:
- Companies that have worked to improve their security posture will pay less in premiums after receiving one of our cybersecurity risk assessments. The insurers we work with trust our assessments.
- Companies that have active weaknesses can decide to repair those weaknesses after receiving our cybersecurity risk assessment. Once repaired, they can receive a new risk assessment and so qualify to pay less for their cyber insurance.
Learn more about Hammer IT Consulting's cybersecurity risk assessment service.