Cyber insurance premiums are rising and coverage is being limited. Some organizations just can’t find insurance at all at an affordable price.
Law firm Akin Gump says that some of their clients reported a 300% increase in premiums and carriers are pulling back coverage.
The federal government is very concerned because critical infrastructure might not be able to survive a major cyber attack if they can’t get adequate insurance. Treasury issued a request for public input on a possible federal cyber-insurance response program. The Federal Insurance office and DHS’s CISA is investigating the extent to which risks to critical infrastructure requires a federal response. That doesn’t help the rest of us, of course.
Part of this is due to the fact that cyber insurance is covering a lot more than it used to. It is covering Extortion, reputation damage, compliance fines and third party liability.
The writer of the source article says there are limits to best-practices based evaluation, but I am not in agreement. They said even something as basic as comprehensive patching is unattainable.
One point the writer did make, which I agree with, is that security programs that lack continuity are doomed to fail.
Companies without comprehensive security programs are much less likely to get any coverage under favorable terms.
So what do they recommend when negotiating with insurance underwriters? Here are some ideas.
- Reduce risk, quantitatively, beyond best practices
- Risk is quantified using a third party assessment
- Continuous reassessment to prevent security “drift”
- Continuous security practice validation after underwriting
A client of ours recently got an email from their insurance company underwriter saying that the insurance company detected an exposure and while they could not force them to fix it, they probably would not renew the policy if they didn’t. Luckily, the client was on top of this and fixed the issue immediately.
That points to the fact that your insurance company is watching you and if they see something they don’t like, they probably won’t renew.
What that means is that you have to be better than average and better than the next guy. Are you? Credit: The Hacker News
Need help? Contact us.