Why would anyone purposely crash their car or set their house on fire, expecting their insurance policy to cover the damages of their negligence?
Why would an enterprise rely solely on its cybersecurity insurance company to manage risk?
Homeowners and business leaders usually work to maintain their assets, protect them from harm, limit attack surfaces, and assume some risk without ever reading the fine print of any insurance policy. Because insurance is reserved for crisis remediation, right?
To manage risk, organizations deploy firewalls, keep IT staff busy with security tasks, and share stories of how other companies fell victim to cyberattacks to anticipate attacks better. The good ones offer Security Education Training and Awareness to their employees and keep their software patched and their network segmented.
But even with these proactive measures, threat actors are still winning - targeting large and small organizations. Every organization is at risk.
Forrester found that it costs an average of $2.4 million and 27 days to recover from a cyber event. That does not include costs associated with lost revenue and productivity paralysis during the event. And how will you quantify the damage to your brand reputation? Do you expect your cybersecurity insurance to cover everything? Have you looked at what your policy does cover? Hopefully, you read the fine print.
Insurance buyers beware, the cybersecurity insurance industry is moving to limit coverage for cyberattacks.
Higher Premiums, Less Coverage
Cyber insurance premium rates have skyrocketed to 25% per year. They are expected to reach $22.5B by 2025. Insurance companies are inserting additional exclusions to their “war” clauses that may leave you with little to no ability to fund a return to business after a cyberattack.
Words have meaning – and value – especially to cyber liability insurance companies and their stakeholders. In protecting their business model, the cybersecurity insurance industry has redefined policy coverage and exclusions multiple times to avoid payouts to their policyholders. And “war” is one of those words where the industry has repeatedly flexed the definition.
So the big question of “What is war?” is up to the courts as victims of financially crippling cyberattacks are suing insurance companies for the value of their claim.
Is Ukraine experiencing a war? A conflict? An engagement? Who has the burden of discovering the source of a cyberattack? Is a nation-state-sponsored cyberattack considered “war”?
Merck & Co won a $1.4 billion claim against their insurance companies when the court decided that the 2017 NotPetya attack they experienced didn’t fall under the policy’s “war” clause. Mondelez is still litigating against Zurich Insurance for coverage of $100 million in damages sustained during the same NotPetya attack.
The insurance industry is paying close attention and narrowing its coverage policies accordingly.
Fighting the Odds of a Cyberattack
How can your organization win the battle against rising odds of a cyberattack while cybersecurity coverage is shrinking? What are the odds of becoming the victim of a targeted cyberattack? High. Very high. 71.1 million people a year become cybercrime victims.
Your best bet is to mitigate the odds of extended downtime with a risk management program implemented across your IT environment rather than relying on a response-based strategy. After threat actors have infiltrated your network and have your data held hostage, you are already in crisis response mode, without the luxury of time to craft a meaningful business continuity plan.
The ability to restore business operations post-attack is even lower if you don't have the necessary IT infrastructure, security solutions, and restorable data backups in place before an attack. Maybe you've decided it's more advantageous to be on the offensive, rattling your sabers? Threat actors are moving targets, sometimes even using the same tools to attack as you use to defend. Hackers are often well funded by nation states or groups with a quasi-moral vendetta against your brand; thus, the risk of an attack can never be eliminated entirely.
It is much wiser to build your preparedness, expect an attack, and know the steps to keep your business operational despite an attack. Know where your data and digital assets live to mitigate the attack, recover, and restore critical data and workflows to become operational. Create a business continuity plan, practice tabletop exercises, and create communication trees to ensure you can implement your post-disaster recovery plan.
When you see that the end game is to remain operational despite an attack, you may need help to create that preparedness plan. An experienced MSP can help you become more risk aware, fortify your perimeter against increasingly sophisticated attacks, and most importantly, help you recover from an attack with Disaster Recovery as a Service (DRaaS). Look for an MSP that can deliver confidence in your restoration capabilities – so you don't have to rely on cybersecurity insurance to become whole again.
Creating an Acceptable Risk Profile
In the end, you bear the responsibility and blame for exposing vulnerabilities to threat actors. Understanding the complexity of your IT environment and the way your tools interface with your systems can help you prepare an acceptable risk profile. What is worth saving? What are your most critical data and workflows? How long can you afford to be offline? How much data do you have, and where is it backed up? Do we have immutable copies of our data?
What if you honestly don’t know the answers to these questions? What if you don’t have that kind of visibility into your environment? Then you have hidden assets lurking in the dark, unpatched vulnerabilities inviting an attack, and disparate tools that have not been fully integrated to offer substantial protection.
Yesterday was the time to worry. Now is the time to act.
Begin by finding a qualified MSP to assess your entire IT environment in-depth. Ask for a Security and Infrastructure Posture Assessment (SIPA) that will explore what exactly is in your enterprise network, the tech stack, resources being utilized, controls in place, and the state of your current security posture. Armed with this information, you will clearly understand what you need to do to become compliant, secure, and efficient. An assessment will also identify if you have the in-house expertise required to detect, respond, and recover from threats. The assessment may find gaps in security coverage and disaster recovery plans that will prohibit you from obtaining cybersecurity insurance or find unmitigated vulnerabilities that could increase your premiums beyond sensibility.
An MSP experienced in performing SIPAs will dive into your environment to root out vulnerabilities and inconsistencies and engage with your IT leadership to outline a roadmap to stabilize, optimize, and automate your environment for better outcomes. A roadmap will give you the knowledge you need to develop an acceptable risk profile to take control of your future.
Partner with TBC for Cyber Resilience
As a qualified Managed Service Provider headquartered in Phoenix, AZ, TBC is ready, willing, and able to take on your most complex IT challenges. Our IT and data governance standards are SOC2 compliant, and our teams have tremendous experience partnering with best-in-class technology tools to future-proof your business. We know that IT decision-makers must balance the soaring costs of cybersecurity insurance premiums with the level of risk they can afford. TBC can support your team with best practice risk management solutions to secure your perimeter, segment your network, and protect your data and workflows.
TBC’s SIPA will give you the confidence to make educated tech buying decisions and bring visibility into your murky IT environment. Too many organizations try to protect their infrastructure with piecemeal tools and software to manage risk – but disparate tools and unpatched software only lead to greater risk. TBC will help you evaluate the conditions of your environment and can deploy unified IT management and maintenance services to keep your whole business humming.
Don’t depend on cybersecurity insurance to bail you out. Let TBC help you build cyber resilience into your organization and lessen your dependency on insurance payouts that may never cover your post-attack expenses. With TBC’s suite of IT services and solutions, you can protect your bottom line and build a more comprehensive Business Continuity plan.