Insurance and Cybersecurity Strategy Go Together

Cyber insurance is now the norm, according to new research. A survey from Sophos finds 91% of organizations report having coverage. An additional 8% said while they don’t currently have coverage, they plan to obtain it in the next year. 

For those who purchased a cyber insurance policy in the last year, 95% say that the quality of their cyber defenses directly impacted their insurability:

  • 60% say it impacted their ability to get coverage
  • 62% say it impacted the cost of their coverage
  • 28% say it impacted the terms of their policy

“Cyber insurance is all about cyber risk transfer,” said Sally Adam, senior director at Sophos. “Insurers want to take on the risk of those organizations that are at lower risk of experiencing a claimable incident and also likely to have lower recovery costs if there is an incident. They prefer to insure organizations with strong defense. The stronger you are, the more attractive you are to insure.”

Increasingly, insurance coverage also plays a role in an organization’s ability to recover from an attack, according to Sophos data. For example, organizations with cyber insurance are more likely to be able to recover encrypted data after a ransomware attack than those without coverage. Sophos research finds of ransomware victims who had data encrypted, 98% with a standalone policy and 97% with cyber as part of a wider policy got encrypted data back, compared to just 84% without coverage.

“This is likely due to insurers requiring a high bar of response preparedness such as regular taking backups and having an Incident Response (IR) plan, so you know what to do in an incident,” said Adam. “And insurers are able to guide victims through the recovery process, leveraging their expertise.”

She also notes that Sophos found 58% of those that had data encrypted and had a standalone cyber insurance policy paid the ransom and got data back, compared with 36% of those with cyber as part of a wider policy and 15% of those without a policy.

Working with an insurance provider while enhancing security

Maximizing your policy in tandem with designing defense starts with the application process, said Adam. You will need to prepare and share details of your cyber defenses in order to get insured, so it is important to be clear with insurers about the steps you are taking to reduce cyber risk and why they are strong and worthy of coverage. Insurers consider the quality of defenses when deciding whether to insure an organization, the cost of coverage and limits.

“Customers, insurers and cybersecurity providers all share the common goal of reducing the cost and impact of cyberthreats on businesses. The stronger your defenses, the lower your cyber risk and the better your insurance position.”

Evaluating defense posture shouldn’t end once a policy is obtained. It is an ongoing process. Adam recommends organizations ask insurers how they will recognize and reward strong defenses during coverage. Sophos has recently entered into partnerships with cyber insurance providers that enable customers to share their Sophos health posture with their provider during the course of their policy. 

“This enables the insurer to recognize and reward good security posture in renewal pricing,” she said. 

Whether it is at the outset of looking for a policy, or during coverage, data reveals the importance of the quality of cyber defenses for the purchase of cyber insurance. To discuss your cybersecurity posture and how Sophos can help you elevate your defenses, visit Sophos.com.


Go to Source