Forbes and Gartner have both rated risk management as a top priority for business leaders. To truly achieve effective cyber resilience, organizations must be ready to adapt and adopt a comprehensive strategy that integrates cyber resilience, third-party risk management, and robust cyber insurance coverage.
This conversation between Chaz Chalkey, VP at Dataprise, a prestigious Managed Security Service Provider (MSSP), Jason Stein, VP at Telarus, a technology distributer, and our own Andres Franzetti, President of Risk Cooeperative, a growing insurance broker with deep cyber insurance expertise.
The Terms of Engagement
Chaz Chalkey (CC) | Cyber protection and insurance may be new to some, so we’ll start by defining three concepts we’ll cover extensively.
1 | Proactive Cybersecurity – A proactive stance in procuring cybersecurity solutions.
CC | While some people claim they have antivirus and a firewall to cover cybersecurity, we say that’s wildly insufficient. What is needed is the oversight to monitor, manage, maintain tools to bring greater insight to potential risks or incidents that may pop up across your technology landscape.
Jason Stein (JS) | Cyber experts like to say, it’s not IF you may be compromised, but WHEN. With 3.8 million cyberattacks per day, we see an organization fall victim to a breach every 14 seconds in the U.S costing and average of $9 million per breach. Because recovery is so difficult, organizations need lots of layers of security. Right now,88% of all breaches are caused by humans so we need to make sure we’re putting safeguards, like training, in place when it comes to protecting humans from themselves.
2 | Risk – The chance of loss and the financial impacts of that loss.
JS | Organizations need to ask, what financial impacts do identified risks pose, what is the dollar value of those, and then what is the roadmap to successfully protect the organization from internals risks, external risks, and natural risks.
3 | Cyber Insurance – An insurance policy procured to alleviate cyber risk when an organization is not prepared to absorb the financial hit of a cyber attack.
Andres Franzetti (AF) | Cyber risk is so interconnected that it impacts all areas of business, organizations really do need to have an extensive review of risks and assigned costs. But cyber insurance is not complicated by the many types of cyber insurance available. Standalone cyber insurance is what we recommend because of the variety of robust coverages like business interruption, third party risk, reputational risk, privacy and compliance related incidences, and breach remediation. A variety of bundled policies is also available.
The decision on the right insurance solution for your organization requires a hard look at the types of risk you’re willing to absorb and the types of policies that you’re considering implementing to ensure that you have the right coverage for your organization to the resiliency to withstand a cyber event.
CC | Can you highlight the differences between a standard business insurance and a focused cyber insurance plan?
AF | Business insurance encompasses a variety of different insurance policies like physical injury and general liability, plus mandated coverages such as workers comp. While cyber insurance is a discretionary policy, it is sometimes required for work contracts and we’re seeing greater privacy regulations and laws coming into place, which will eventually make it one of the mandated coverages.
Organizations need to understand the implications of cyber policy nuances on their organization, not just the technical specifications. Jason mentioned the cost of a breach is reaching the +$9 million level, and these nuances are some of the costs that are built into that cost, not just remediation, investigation and forensics. Consider the cost of payroll delays, inability to conduct transactions via the website, lost accounts from reputation risk, or vendor risk disrupting business.
Cybersecurity Impacts Insurance Access
AF | The requirements keep increasing from basics like password protection and a response plan, to now being more about integration of technologies and emphasis on training, dual factor authentication, redundancies and backups – impacts not only pricing but also access to cyber insurance.
Companies are being turned away if they don’t meet the minimum security requirements, and that’s a trend we’re going to see continue to increase. There is a tightening of access to cyber insurance, where only the firms that can demonstrate robust cybersecurity practices will be insurable.
JS | Exactly. The cyber insurance landscape is changing dramatically. You used to see everyone get a policy, and if you could prove a breach you got the payout. But in 2021 we saw over 2100 breaches, meaning more than $2.1 million dollars from carriers, so they had to put more requirements in place and raise premiums. Some organizations and industries now require cyber insurance while the requirements are getting more complex. Our expertise helps support access those requirements more easily.
Enhanced Cyber Insurance Offerings
CC | We would be remiss if we didn’t mention a new program Risk Cooperative and Dataprise created called ConvergeConnectTM, where a cyber insurance carrier Converge has validated Dataprise as cybersecurity provider, allowing premier customers eligibility for savings up to 30% on their cyber insurance premiums. Actually, we’ve taken advantage of the the ConvergeConnectTM program for ourselves at Dataprise and are saving tens of thousands per year. It has really helped us to invest in other aspects of our business.
AF | From the insurance perspective, we are helping to close the customer proximity gap. The insurance application process can be quite complex, with a lot of questions requiring technical data. Clients need help from their technology providers to complete the questionnaires, and ConvergeConnectTM helps to streamline that and validate that the protocols are in place, giving the customer access to insurability and premier pricing. With Risk Cooperative serving as broker, clients have the support they need to understand their risks and the various policy coverages to get the protection they need.
Cybersecurity Trends
JS | Cyber insurance is a $13 million industry with around 35 million firms – more than a third of U.S. companies – mandated to obtain a cyber policy. While policies used to be $1 million for a $100 thousand premium, now you’re seeing 2-3x the cost for the same coverage, depending on your cybersecurity protocols. Investing in cybersecurity helps keep those premiums down. But, the policies are also different, with segmented coverage and payout caps. Bringing in your MSSP and your broker to assess risk, assign a value to that risk, and explain your policy options will help ensure you have the best plan in place.
One statistic that stands out is 60% of organizations will use security risk as a factor when determining business relationships. This is huge, because understanding risk is not only valuable for you internal operations, but it’s also a determining factor when engaging in other business activities.
AF | On the other hand, proposed legislation such as the American Privacy Rights Act are creating new GPDR-like protections. These are expected to result in more costly claims, more fines, and more regulation tightening the insurance underwriting process.
We’re seeing a preference for a zero-trust model among underwriters, a model that requires classified access to data and breach response tools. I also want to highlight the risk management component of 3rd party risk from vendors, with compromised software supply chains resulting in $23m in losses in 2023 and predicted to triple by 2025. It’s critical that you have standards in place for the 3rd party vendor management because those are the exposures insurers are looking at and will remove that coverage if proper mitigation components are not in place. Likewise, ransomware is becoming a line of coverage with reduced limits as a leading cause of cyber incidents.
Organizations are opting to outsource cybersecurity because the talent pool is extremely limited and specialization is needed to manage this highly integrated cyber threat. Still, underwriters are struggling to get the technical details for cyber insurance from the consumer, making programs like ConvergeConnectTM a valuable program for clients seeking to build their cyber resiliency.
JS | Not to mention the influence of AI, which is today where cloud computing used to be – more than half of companies want to put some kind of AI in place, but there is just not a ton of security around it.
AF | From the insurance and underwriting side, it’s too early to tell how AI risk will be addressed by cyber insurance but you’re going to see requirements for AI continue to evolve.
JS | Our client needs are aligned with what Andres is saying: greater privacy regulations risk and outsourcing of cybersecurity.
Conclusion
CC | A conversation we have often with partners and customers is how layers of security are often part of a broader business resiliency strategy, driven by the need for business continuity and disaster recovery.
AF | You’re absolutely right. It ties into the proactive risk mitigation we talked about at the beginning – containing losses, reducing downtime and limiting how much is paid out by the insurers – because, ultimately, if you can help contain that loss you have a better chance of managing premiums and maintaining coverage.
Certain risks could be limited or excluded by some policies, so understanding the details is critical to deciding if it’s the best available, while also keeping tabs on the pricing element. Sometimes the cheapest policy won’t have all the coverages, leaving you to shoulder those costs in the end. Your broker should be a trusted partner and walk you through the details to ensure that your policy has the most robust coverage available to you.
