You've successfully subscribed to INFIMA Security
Great! Next, complete checkout for full access to INFIMA Security
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

Cyber Insurers Tighten Requirements

Insurance companies don't like losing money. More requirements aren't always bad, though.

Cyber Insurance is a growing market for small and medium-sized businesses (SMBs), but it’s getting tougher to obtain coverage. Insurers are in the business of writing policies and taking your money, so they naturally want to write as much business as possible.

The problem: insurance providers have taken big hits.

Insurance companies are in the business of taking risk, and sometimes these risks go badly. But this is a bit worse than the standard, run of the mill losses. In some cases, it’s so bad that the revered Lloyd’s of London has reportedly warned its members against providing cyber coverage. The company has already advised its syndicate members against providing coverage of losses due to state-sponsored cyber attacks.

...this insurance does not cover any loss, damage, liability, cost or expense of any kind directly or indirectly occasioned by, happening through or in consequence of war or a cyber operation. - proposed language from Lloyd's for insurance carriers

And let's be honest here - it's really hard to prove or disprove whether an attack is state-sponsored. Enter the lawyers!

While we're navigating the whole insurance application process, hackers are wise to the insurance payout game. It’s now common for hacker forums to share stolen insurance policies from real businesses. They look at coverages and limits to determine which business will pay out the most after their attack! When they know they've found an easy payer, the attack is on.

Ok, enough feeling bad for the insurance companies. Your business still needs protection.

Cyber attacks continue to rise year on year. Even without seeing the data, you know this already. This means cybercriminals are making a whole lot of money. Neither you nor the insurance company wants to be contributing to these lavish lifestyles.

So you want insurance to protect against these bad outcomes.

And insurance companies are making it harder to qualify for coverage.

So what is the insurers’ response to the surge in attacks on their clients (and their own balance sheets)?

They’re making YOU tighten up your security, making it harder for the bad guys to get in (and less likely the insurers will have to pay out).

Better security is good for everyone, but it still takes some work. So let’s take a look at some of the security steps insurance companies are requiring.

  1. Patching - keeping all systems on the latest software updates. This seems easy, but it so often isn’t. Unpatched networks are a wide open door for attackers.
  2. Backups - keep solid backups! You don’t ever want to have to use them. But you’ll be thankful you’ve got your data secured if you are ever attacked.
  3. Password Policy - implement MFA (multi-factor authentication) and/or implement a strong password manager.
  4. Anti-Virus - this one kind of seems obvious. You need a strong AV solution.
  5. Privileged Access Management - all sensitive data access should only be granted on an as-needed basis.
  6. Security Awareness Training - saving the best for last here. 9 out of 10 attacks start with an attacker fooling one of your employees.

Where do you start?

If you’ve got the above in place already, your next step is documenting your systems, policies and procedures. Yes, this can be brutal.

Often it’s wise to get some assistance.

If you’re under 500 employees, you don’t need to hire a whole team of IT folks - outsource your IT management to an MSP (managed service provider). Let them take care of your systems for you. That’s what they do!

Not only will your MSP keep your systems up to date and protected against the latest vulnerabilities, but they can also advise on compliance best practices and help you organize your data. This can reduce your exposure to hackers and the consequences of being breached.

Insurance carriers need to see you’ve got experts managing your IT systems and following these IT and Security Policies. Hiring an MSP can be a great way of doing that.

Security Awareness Training Satisfaction

When it comes to your Security Awareness Training, INFIMA makes it easy. We provide fully automated Training and Phishing Simulations, and we even include your Employee Security Awareness Training Policy! Confidently hand that right to your insurance company.

✅ User Security Awareness Training
✅ Privacy Training
✅ Phishing Attack Training

You've got enough other things to be doing. We got this.

If you're an MSP and want to learn more, go check out how we Partner with you here. If you like what you see, book a time to chat!

Lloyd's of London photo by noel o'shaughnessy on Unsplash

Joel Cahill

Cybersecurity enthusiast. Entrepreneur.