By Jon Clark
April 24, 2023
As the global economy continues its cycle of growth following periods of recession, there certainly seems to be a consistent increasing focus, in many industries, to find cost savings in creative ways. One such way could be to combat the growing expense of cyber liability insurance—an essential component of many organizations’ risk management strategy, with rising premium costs that can make effective budgeting difficult.
There has no doubt been a rise in cyber-attacks like ransomware and data breaches, and businesses of all sizes and descriptions have turned to cyber liability insurance providers to shoulder some of the risk for them. But as the number and cost of claims increase against this insurance industry segment, so have the premiums.
Many factors contribute to the cost of cyber liability insurance coverage. Some factors are seemingly immutable in many environments, but others can be impacted by risk treatments, thereby reducing the amount of risk being transferred to the insurer. And the less risk you are asking the insurer to take, the less they will charge for their premiums. We will be taking a deep dive into some of the areas that tend to impact insurance premiums for cyber liability coverage and looking to provide information to assist you in reducing the risk, and consequently the premiums, for the areas you can influence in your environment, specifically those around Information Technology and your Information Security program.
Since the thought of diving into insurance application forms is a less-than-exciting prospect, we will frame the conversation as a bus tour around an island…You know – just for fun!
Let’s discuss the path we aren’t going to take on this tour first: the areas outside of the focus of our expertise. As stated, many of the factors that impact your potential premiums are either beyond your control or would require a significant change in the way you conduct business, so might not be the best area to look to reduce risk. Things like the size of your company, what industry or sector the company operates in, frequency and severity of cyber-attacks in your industry or sector, and regulatory compliance for your industry are typically intrinsic to who you are, and all unlikely to be a focus area for changes just to lower insurance premiums.
Other factors, while within your ability to control the impact of premiums, are beyond the scope of this article, and more the subject of Enterprise Risk Management, rather than IT-focused risk management. Items such as coverage limits, deductibles and retentions, exclusions, or endorsements, standalone or endorsement policies, and other business-oriented factors are areas that should absolutely be considered and looked at to control premiums, but the subject of a different article.
Without further ado, let’s get this bus on the road…
On the way to the first destination in our traveling tour, you will improve your information security program and subsequently lower your risk profile by conducting a thorough risk assessment of your environment, using one of the many available control frameworks such as NIST, COBIT, or ISO/IEC, or at least an assessment based on them.
This assessment should be thorough and well-documented. It should cover all areas of the enterprise and review threat sources and events, vulnerabilities, likelihood, and impact analyses. A thorough assessment results in an understanding of your risk appetite and tolerance levels, a risk monitoring matrix, ongoing development and management of risk scenarios, a risk register, risk responses, control testing and monitoring, and risk mitigations through treatment. These risk treatments can lead to a lower level of residual risk, and a corresponding reduction in the amount of risk you are seeking to transfer to the insurer, resulting in lower premiums.
By way of a thorough risk assessment and follow-up action, we arrive at an improved security posture where we enjoy the additional benefits of potentially lower premiums.
Let’s continue the journey…
Another way to a lower risk profile and lower premiums is through adequate team training to spot and resist cyber security attacks. Engaging, informative, and regular training is critical to reducing the risks to your organization. Technology can protect against many different types of attacks, but no technology can match the ability to recognize a well-crafted phishing attack quite as well as the human brain.
Perimeter defenses are designed to filter out a high volume of low-quality efforts. But targeted attacks will often make their way through typical defenses and end up in the inbox of your team. Ensuring your team has received documented and mandatory training on many aspects of end-user security including password construction and management, phishing and social engineering scams, data privacy, physical security, notification training, and policy education all help to reduce your risk profile and elevate your environment to a higher state of security. Again, by improving your program, you are potentially lowering your premiums.
Everyone back on the tour bus and onto the next destination – Incident Response Planning!
While most companies seeking cyber liability security insurance will likely already have a (hopefully tested) Disaster Recovery Plan, and maybe even a Business Continuity Plan, few will have ventured along the entire path of developing a comprehensive Incident Response Plan as we will on this tour. In our experience, an Incident Response Plan is being requested in typical cyber liability insurance applications more frequently than ever. You may wonder which plan is most appropriate for when.
In a nutshell, a disaster recovery plan (DRP) will typically be very IT systems focused, and all about getting every system back to normal operational functioning following some type of incident.
A Business Continuity Plan (BCP) will have much more detail regarding business processes and consist of several documents that have been carefully curated over time as a part of the information security program. A good BCP will be built from a Business Impact Analysis (BIA), a Risk Assessment, and multiple interviews across the enterprise with various business process owners. It will help guide the criticality and pace of recovery and guide the building of the DRP by prioritizing systems for recovery according to critical business process needs.
An Incident Response Plan (IRP) is a guiding document to help navigate an incident by establishing a team and defining its responsibilities and actions to maintain confidentiality, integrity, and availability during the event. The goal is an expedient, coordinated response to reduce damage to the organization, and thereby limit the exposure of the company during any incident, with varying levels of response called out depending on the level of the incident. From standard run of the mill type events like security alerts from your monitoring systems that require investigation by your security analysts, all the way up to full blown catastrophes such as a complete loss of your brick and mortar structure that houses your business or a significant data breach. The IRP will outline documentation and reporting procedures, offer guidance as to data collection and evidence preservation, who and what to communicate to at what intervals, as well as proactively appointing the governance structure for running the incident—all decisions much better to make prior to being involved in an actual crisis event.
|Disaster Recovery Plan||Business Continuity Plan||Incident Response Plan|
|Focuses on getting IT systems back to operational function after an incident||Details processes to maintain and restore business operations in the event of an incident||Guide incident-specific procedures and processes during an event|
Having a robust IRP in place reduces the chance actions will be taken or allowed during an unplanned event that will result in greater damage to the integrity or reputation of the organization. Your Incident Response Plan ensures that communication between interested parties is accurate and timely and that actions taken during the incident are accurately timelined and documented.
Having this type of plan in place improves your overall security posture, and as we have already learned, a more mature information security program will result in lower insurance rates.
Let’s keep moving along to the next stop – Frameworks and Best Practices.
Welcome to Frameworks! Another fantastic tool you can use to improve the robustness of your program is to choose a framework to work within. One such framework is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). NIST CSF is an excellent example of these frameworks and can be very appealing to the cost-conscious, as the framework documents are available entirely free of charge from the U.S. government.
Using such a framework to evaluate all aspects of your information security program will ensure that you don’t have areas of oversight and that you are following best practices as determined by a consortium of industry contributors. The goal of such frameworks is to “enable organizations, regardless of size, degree of cyber security risk, or cyber security sophistication to apply the principles and best practices of risk management to improve security and resilience.”
Aligning your program maps to such a framework is a great way to demonstrate the maturity of your Information Security posture, and lower your potential premiums.
Onto the last stop (and fan favorite) of our tour – Audit (Who doesn’t love an audit?!)
As exciting as they are, regular audits of your environment will identify any vulnerabilities or weaknesses and allow you to implement any necessary updates or improvements to strengthen your security posture. These audits can take many forms, all useful in assisting you in finding areas needing improvement. Regular vulnerability scans, periodic penetration assessments by either an internal or external team, fractional expertise in risk management, or compliance audits for varying standards such as HIPAA or PCI DSS all improve your environment.
Having such audits conducted regularly with well-documented results and remediations demonstrates a very effective security program for interested parties, like insurers. A mature information security posture will give your company the needed tools to stay on top of developing risks and maintain the lowest residual level of risk possible, which will hopefully lead to the lowest premiums possible on your cyber security liability insurance.
Tour over, time to head back.
In the end, there are really only four options.
We talked about two of them, reduction and transference. If you aren’t ready to stop conducting business and pursue risk avoidance, all that leaves you with is acceptance. In other words, a YOLO approach to risk management. I can’t say I recommend it…
Hopefully, after our journey together today, you’re more informed about some fundamental opportunities that can all impact your security posture and lower your residual risk:
Additionally, while we didn’t seek to dwell outside of our expertise, we did make brief mention of other factors besides the maturity of your information security program that could be impacting your premiums: market segment vulnerabilities, size, or location of your company, and ERM concerns such as deductibles and retentions. All of which can be opportunities to improve your overall security posture by minimizing your residual risk after applying various risk treatments to vulnerable assets.
This is not an exhaustive guide to all the possibilities out there but applying many of the changes mentioned today to your program will leave you with less risk and, ideally, some cost savings on your premiums.
If you would like to focus even more on reducing your risk exposure, and potentially recoup some of your insurance expenses in the process, reach out to me for a free consultation on areas of your program that you want to focus on, or, more holistically, with our complete vCISO suite of services for a comprehensive information security program.
Let me know what you’re looking to accomplish in the following form.
Jon has been providing guidance in information security and technology risk for the last 24 years. His background includes serving as head of the information security program for a $2B financial institution, SVP of enterprise risk, and as CIO.
Once a university adjust professor, Jon has the heart of a teacher and ensures his clients understand the ‘what’ and ‘why’ of solutions as he guides them through the establishment and maintenance of their information security programs.
Jon earned a Masters’ degree in Computer Information Resource Management and has served in the United States Marine Corps. In his free time, Jon enjoys time with his wife and three ever-growing children, playing guitar and bass, and reading non-fiction. A favorite quote of his is from Charlie “Tremendous” Jones: “You are the same today as you’ll be in five years expect two things: the books you read and the people you meet.”