Cyber insurance: A necessary part of IT security
Back in the day, a visit from a life insurance agent was right up there with seeing a door-to-door salesperson on your front porch – something you’d rather not have to deal with even if you knew you needed what they were selling. Fortunately, times have changed. The good news – and the bad news – is that now you have to find the right insurance yourself.
The same scenario applies to businesses and IT teams that have to secure cyber insurance coverage as part of a broader risk management strategy. But how do they get the right insurance?
There are two types of companies when it comes to cybersecurity: those that have been the target of a cyberattack and the exceedingly rare few that haven't. According to the industry association Bitkom, nine out of 10 companies have been affected by cyberattacks in the past two years. The primary goal of hackers is extortion, in which they encrypt or disrupt IT and production systems and demand a ransom payment to restore them. In Germany alone, Bitkom puts the total damage to the economy at around €223 billion or $239 billion annually, nearly double the amount from previous years. And who has to pay for the damage? That's right: the companies that were attacked!
However, companies can protect themselves with a few proactive measures. That includes enhancing systems to increase overall cyber resilience and obtaining appropriate cyber insurance to help offset the costs of recovery. But which insurance is really suitable? How do companies get the right insurance, and what should be done in advance of shopping for a policy?
Cyber insurance is different from IT professional liability insurance, which covers damage claims related to loss or impairment of system functionality or services caused by the company. Cyber insurance covers damage that is not the company’s fault. Claims typically involve information security breaches, when the confidentiality, integrity or availability of data is compromised. In practice, however, cyber insurance is often a combination of liability, business interruption and data insurance for damage or financial loss to the company or associated third parties.
In addition, coverage may apply to incidents that result in lost sales opportunities, cancelled contracts, and costs to restore IT systems and recover customer data. Policies may also cover additional costs for outside technical or crisis management help, and quantifiable damage to a company’s reputation. All of those factors are why cyber insurance is an important part of a company's broader risk management strategy.
While policies and procedures vary from country to country, the "General Insurance Conditions for Cyber Risk Insurance" questionnaire used in Germany provides useful guidelines for small and medium-sized companies applying for coverage. Companies answer the questions as accurately as possible because insurers will closely examine their responses to determine eligibility and policy terms and conditions. Insurers also provide "state of the art" IT security guidelines for helping smaller companies establish effective IT security measures.
The key building blocks of IT security include the following components:
- Security and risk assessment: identifies the risks to critical information systems in order to establish appropriate safeguards and procedures.
- Systems and procedures: including unified endpoint management (UEM) and other systems for centralized management of hardware and software and configuration monitoring of computer systems.
- Programs and practices: Includes systems for updating and monitoring personal firewall, antivirus and other security software, as well as implementation of regular, structured patch and update management programs.
- Vulnerability assessments: Regular vulnerability scans and analyses, along with immediate, preferably automated, prevention and remediation, are becoming increasingly important for network security and maintenance of business operations.
- Data backup & restoration: Backup protection and auditing are essential for incident recovery, data restoration and resumption of normal business operations.
The baramundi Management Suite (bMS) helps in all these areas. It provides comprehensive network transparency and control and facilitates adherence to compliance rules and guidelines. bMS also enables automatic inventory of hardware and software, management of endpoint data encryption and antivirus protection, automated software updating and patching, and backup and restoration. At the same time, it provides transparency and reporting features that can significantly simplify the process of obtaining suitable cyber insurance coverage.
After all, the more a company can show how it assesses and manages its cyber risks comprehensively, the more willing insurers become to provide and renew appropriate coverage at lower cost. If it becomes necessary to file a cyber insurance claim, bMS features can make reporting and documentation much more accurate and efficient.
Cyber insurance is practically mandatory for large companies today. But small and mid-sized companies also can benefit from the additional protection it provides. By using the bMS, they are more likely to have better coverage options and premium costs.
There’s another reason why companies should obtain insurance sooner than later: rapidly increasing premiums. In Germany, for example, premiums rose by 65 percent between 2020 and 2021. In comparison, premiums for other property-casualty insurance policies increased by only 13 percent. Last year’s surge of ransomware attacks and the war in Ukraine – and the increased risk of Russian cyberattacks on western countries – are the main drivers of higher costs.
While the thought of assessing and documenting IT risks and mitigation practices to obtain cyber insurance would hardly be on any IT admin’s list of enjoyable activities, completing that process efficiently by using bMS can help your company obtain the coverage it needs both while improving everyday endpoint management, network performance and IT security.