IT Security

Cyber insurance: an umbrella for a cloudy IT security climate

07. March 2024, Avatar of Benedict WeidingerBenedict Weidinger

Once primarily seen as a technical subject for IT pros, managing cybersecurity risks and the potential financial impacts are now concerns for top business managers. This article explains why CISOs and CFOs should consider cyber insurance an essential component of overall risk management.

In short

  • The growing number of damaging cyberattacks and new stringent IT security regulations have changed the IT security climate. 
  • Cyber insurance is now seen as a financial umbrella providing crucial protection in today’s cloudy IT security environment because it helps mitigate the costs of recovering from theft, damage or loss to electronic data even when strong defensive measures are in place.
  • While executives now see cyber insurance as an essential component of business risk management, CISOs, CIOs and CFOs have different priorities and requirements for technical, operational and financial coverage.

In this second part of our series on cyber insurance we focus on the responsibilities of CISOs and CFOs. In Part 1 we took a closer look at the important role IT admins play when organizations seek or renew insurance coverage.

2023: the changing IT security climate

The facts are clear: the number of companies of all sizes falling victim to cyberattacks is increasing significantly worldwide.

Operators of critical infrastructure and associated businesses face increased government scrutiny and requirements for cybersecurity and reporting of incidents. In the U.S., the National Institute of Science and Technology (NIST) published the “Guide to Operational Technology(OT) Security” in September 2023 to guide OT operators on improving OT security. That followed passage in 2022 of the Cyber Incident Reporting for Critical Infrastructure Act, which granted rule-making and enforcement authority to the Cybersecurity and Infrastructure Security Agency (CISA) and mandated incident reporting for critical infrastructure providers.

In the EU, the new NIS2 EU directive has tightened requirements for business IT security and holds corporate leaders responsible for ensuring that the company’s cyber defenses meet the latest standards. NIS2 affects companies with more than 50 employees and €10 million in annual revenue in banking, healthcare, energy, transport and many other sectors. The expanded range of businesses affected by the requirements and increased fines for non-compliance prompted the President of the Germany’s Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or BSI) to recommend that companies set aside at least 20 percent of their IT budgets for cyber security measures.

Cyber insurance: a different kind of “umbrella” policy

One way for companies to obtain a reliable rescue package in the event of a cybersecurity incident emergency is to take out cyber insurance. This differs from traditional business liability and professional indemnity insurance which covers claims resulting from product or service errors, malfunctions or limitations. Cyber insurance covers costs incurred as the result of an attack affecting the confidentiality, integrity or availability of electronic data despite the implementation of compliant security practices. Cyber insurance should be considered an integral part of business and IT risk management today.

Accurate reporting to find the right insurance

Most insurers provide cyber insurance questionnaires for companies to complete. The self-disclosure also determines insurance eligibility and how the policy should be individually structured. It includes questions about security guidelines, risk management, protection of information systems, vulnerability assessments, data backup and employee training. Business must answer these questions as accurately as possible because insurers will verify if the criteria have been met if a claim is filed. Ultimately, the more secure a company is the better that insurers can assess specific risks and offer more favorable insurance policies.

Comprehensive unified endpoint management (UEM) software such as the baramundi Management Suite (bMS), can help companies maintain a current and accurate overview of their systems and security status and document compliance with applicable requirements. 

Priorities vary when choosing coverage

The process of applying and qualifying for cyber insurance now involves several company executives and departments. The CISO (Chief Information Security Officer), for example, prefers cyber insurance that covers specific risks such as data theft, data breaches and business interruption. The scope of coverage and the extent of incident response services also are priorities.

The CIO (Chief Information Officer) is focused on coverage for damage to the company’s IT infrastructure and data, including protection against malware and physical damage. That includes the technical details of and coverage requirements for hardware and software.

The CFO (Chief Financial Officer) is interested in coverage for cybersecurity-related losses including business interruptions and liability claims. Cost-benefit analyses and the potential financial impact of security incidents take precedence.

Protection for a more secure future

One thing is clear: The CFO is not the only one keeping an eye on costs. The costs of cyber insurance is rising, driven in part by an increase in geopolitical conflicts and state-sponsored and organized cybercrime groups. For example, Microsoft became a victim of a Russian state-sponsored hacker group resulting in exposure of emails of numerous top managers.

Investing in cyber insurance requires thorough preparation and analysis, but in an emergency it can make the difference in the extent of damage and the speed of recovery. Insurance provides financial protection in the event of a cyberattack by paying compensation and the costs of forensic investigations and business interruptions.

Insurance can also provide access to expertise to help with risk assessment and prevention. CISOs and CFOs must ensure that they strike the right balance between insurance costs and the cost of providing security measures that meet their requirements. Even if cyber insurance doesn’t replace the need to implement appropriate and compliant IT security measures, it offers protection against damages from a cyberattack. As new regulations and the changing, often ominous-looking IT security climate make clear, cyber insurance has become an integral part of modern business and IT risk management.

A guide to obtaining cyber insurance

Are you considering adding, renewing of increasing cyber insurance coverage as part of your IT and business risk management strategies? baramundi has 6 essential recommendations to help you sort the complexities of cyber insurance.  

Go to the baramundi cyber insurance checklist

Read more

Entries 1 to 3 of 3