As a technology provider to the insurance industry, we learn from our clients who write cyber insurance policies. Along with the cost for cyber insurance trending upward, stricter underwriting requirements have come into play. In this blog we share ideas to save on cyber coverage and be better prepared against a cyberattack.
Some of our customers specialize in writing cyber insurance and are seeing claims multiply, capacity tighten, underwriting requiring more subjectivities and premiums escalating. Cyber claims increased 500% in 2021 compared to 2020 and premiums sometimes increased as much as 75%. And there doesn’t appear to be an end in sight to these trends.
Cyber criminals have unfortunately gotten more organized, experienced and bold. Now there are even ransomware gangs, who sell or rent hacking tools – RaaS (ransomware as a service) – for others to use. With RaaS, for as little as a $40 monthly subscription, cyber criminals can access tools to launch successful cyberattacks. Cyber criminals, like burglars, look for the most vulnerable businesses to attack, so they can get the most return (ransom pay-off) for the least amount of effort.
A survey from the Council of Insurance Agents & Brokers (CIAB) reports that ‘the increase for cyber insurance was caused by more ransomware attacks, poor risk management protocols and the lack of employee training.’ And, according to Identity Threat Resource Center (ITRC), ransomware breaches have doubled in the past two years. So, in addition to facing higher premiums, you’ll most likely receive more questions about your cybersecurity protocols, especially surrounding multi-factor authentication (MFA), incident response, off-site backups and employee training.
So, what can you do to be better prepared against a cyber attack as well as qualify for the best cyber coverage with your insurance carrier?
- Enhance employee training: cyberattacks still seem to start with phishing, which is an email from supposed reputable companies, requesting personal information. Or you may be a victim of social engineering as a hacker uses deception to convince people to divulge personal information, such as bank account number or social security number. Often, employees are the weakest link and don’t think before they click – on a link in an email or an attachment. Shoring up employee training is a first step to hardening your environment against cyberattacks. At MGA Systems, we work with several training firms, including KnowBe4, for mandatory security awareness training. Every employee has a responsibility in keeping the company’s data secure.
- Implement data encryption at rest: make sure that your data, whether you manage it on site, in the cloud or store it at a data center, is encrypted at rest. Without the encryption keys, it will be much more difficult for the cyber criminal to access your data.
- Enable multi-factor authentication (MFA): for important data access, such as email, remote access to the network and all administrator accounts. MFA requires that you present at least two pieces of information to gain access to a network or your email, for example. It may be something like having your bank card and your PIN to access your bank account at an automatic teller or entering your password and receiving a random code sent via text to access an application.
- Secure backups at an off-site location: so they are not connected to your network. This prevents your backup media from being hacked by a cybercriminal.
- Regular patching ensures that your systems are up to date with security fixes: This provides increased security protection for your servers and other devices. You may want to consider automated patch management software, which regularly scans for software updates and patches the appropriate applications and software tools. This avoids a critical patch being missed by a busy IT administrator and keeps your network as secure as possible.
- Conduct penetration tests and vulnerability assessments: both are essential for your cybersecurity. A penetration test is usually a mix of manual and automated tests that try to exploit your network, while a vulnerability assessment is an automated test that scans your network for vulnerabilities. As stated in a recent article, “a vulnerability assessment answers the question, ‘What are our weaknesses, and how do we fix them?’ Penetration testing answers the question, ‘Can someone break in, and what can that attacker get access to?’”
- Continuous monitoring: watch for things such as unusual account activity or the creation of an unexpected administrator account. Use automated tools to scan your entire IT ecosystem for potential threats or breaches. This data allows your IT team to address events or incidents as quickly and effectively as possible.
For a more complete list of recommendations to prepare you for most cost-effective, comprehensive cyber insurance policy, refer to the checklist on page 19 of the Ransomware trends: Risks and Resilience article. At MGA Systems, we are available to answer any questions you may have about your cybersecurity risks and ways in which to position your firm to avoid cyberattacks. Remember, good cyber hygiene will not only help you protect your data, but also find appropriate cyber coverage at a reasonable price.