Insurance companies don't like losing money. More requirements aren't always bad, though.
Cyber Insurance is a growing market for small and medium-sized businesses (SMBs), but it’s getting tougher to obtain coverage. Insurers are in the business of writing policies and taking your money, so they naturally want to write as much business as possible.
The problem: insurance providers have taken big hits.
Insurance companies are in the business of taking risk, and sometimes these risks go badly. But this is a bit worse than the standard, run of the mill losses. In some cases, it’s so bad that the revered Lloyd’s of London has reportedly warned its members against providing cyber coverage. The company has already advised its syndicate members against providing coverage of losses due to state-sponsored cyber attacks.
...this insurance does not cover any loss, damage, liability, cost or expense of any kind directly or indirectly occasioned by, happening through or in consequence of war or a cyber operation. - proposed language from Lloyd's for insurance carriers
And let's be honest here - it's really hard to prove or disprove whether an attack is state-sponsored. Enter the lawyers!
While we're navigating the whole insurance application process, hackers are wise to the insurance payout game. It’s now common for hacker forums to share stolen insurance policies from real businesses. They look at coverages and limits to determine which business will pay out the most after their attack! When they know they've found an easy payer, the attack is on.
Ok, enough feeling bad for the insurance companies. Your business still needs protection.
Cyber attacks continue to rise year on year. Even without seeing the data, you know this already. This means cybercriminals are making a whole lot of money. Neither you nor the insurance company wants to be contributing to these lavish lifestyles.
So you want insurance to protect against these bad outcomes.
And insurance companies are making it harder to qualify for coverage.
So what is the insurers’ response to the surge in attacks on their clients (and their own balance sheets)?
They’re making YOU tighten up your security, making it harder for the bad guys to get in (and less likely the insurers will have to pay out).
Better security is good for everyone, but it still takes some work. So let’s take a look at some of the security steps insurance companies are requiring.
Where do you start?
If you’ve got the above in place already, your next step is documenting your systems, policies and procedures. Yes, this can be brutal.
Often it’s wise to get some assistance.
If you’re under 500 employees, you don’t need to hire a whole team of IT folks - outsource your IT management to an MSP (managed service provider). Let them take care of your systems for you. That’s what they do!
Not only will your MSP keep your systems up to date and protected against the latest vulnerabilities, but they can also advise on compliance best practices and help you organize your data. This can reduce your exposure to hackers and the consequences of being breached.
Insurance carriers need to see you’ve got experts managing your IT systems and following these IT and Security Policies. Hiring an MSP can be a great way of doing that.
When it comes to your Security Awareness Training, INFIMA makes it easy. We provide fully automated Training and Phishing Simulations, and we even include your Employee Security Awareness Training Policy! Confidently hand that right to your insurance company.
✅ User Security Awareness Training
✅ Privacy Training
✅ Phishing Attack Training
You've got enough other things to be doing. We got this.
Join the newsletter to receive the latest updates in your inbox.