Cyber Insurance by no means replaces adequate information security practices.

To begin with, the insurable limit is often inferior to the overall cost of an incident. For example, Target had $100M in cyber insurance coverage (with a $10M deductible), but the cost of the 2013 data breach reached more than three times this coverage limit. As a matter of fact, the maximum that an organization is likely to acquire is in the $300M range, using multiple underwriters.

Thus, most insurers will require some level of security as a precondition of coverage, and in line with traditional insurance coverage models, companies adopting better security practices will receive lower insurance rates. With that in mind, premiums may range from $10,000 for small organizations with revenues of $100,000 to $500,000, to over $100,000 for businesses with revenues in the millions.

So what can you do, as a security expert within your organization, to reduce the cost of these premiums?

 

 Understand the possible discounts by asking the right questions

These 3 questions proposed by NetworkWorld can help you to seize all of the possible ways to reduce your premiums:

1. Are discounts available if we are using specific trusted services for business applications?
2. Are discounts available if we meet standards related to data security and protection?
3. Are discounts available if we have third party certification of our security processes and protocols?

Many insurers will offer discount for Managed Security Services.

 

4 practices that can definitely reduce the cost of your premiums

 

1. Password Management and access controls

• Install the latest security software and patch all updates (this is a requirement in some insurance policies).
• Establish password management procedures and controls to manage the access and permissions of your employees.
• Strong authentication systems can contribute to lower insurance premiums.

 

2. Compliance with industry standards proven by technical testing

• Michel Loeters, VP at BFL Risk and Insurance Services, said the following:

“Be proactive: Companies that produce independent evidence of industry standards will generally receive much better insurance rates on their cyber insurance program”.

This can be done through security assessments, such as cybersecurity posture assessments, risk assessments, or vulnerability assessments, provided by trustworthy security companies.

 

3. Employee training

• According to a 2015 study by Wombat Security Technologies, increased investment in employee training can reduce the risk of a cyberattack by 45% to 70%.
• The 2015 Cost of Data Breach Study by the Ponemon Institute noted that 19% of data breaches are caused by employee negligence.
• A report from Ipswitch notes that 84% of employees are using personal email to send sensitive files and more than 50% expose company files or data by uploading to a cloud-based service such as Dropbox.

Your insurance company knows these facts. If you want to lower your premium, it’s not enough to have policies on papers, they must be implemented and followed by employees.

 

4. Establish and enforce an incident response policy

• According to the Ponemon study, a key cost-reduction factor includes having an incident response team in place prior to a breach, along with employee training. Precisely, having an incident response team to execute the plan reduced the cost of a breach from an average of $217 per compromised record to $193.

Related post: Key Roles and Responsibilities for your Incident Response Team

 

Having response capabilities and an effective incident response policy will, therefore, decrease your premiums.

 

Smart Cybersecurity Insurance Purchase

The most effective way to purchase cybersecurity insurance is after you’ve created and implemented an information security policy and an incident response plan. After this exercise, you will be prepared to understand what your insurance needs are and how you can lower your rates based on the stated practices.

Also, consider the other benefits that your insurance company can offer if in-house and outsourced resources, such as credit monitoring services and post-breach counseling are incorporated in the security program.

The good news is that, for many commentators, insurance companies drive overall better cybersecurity by imposing requirements that are reactive to new threats, and therefore reducing the risks associated with externalities for all organizations.

---

What types of risks are covered by cyber insurance? What kind of coverage to get with which insurance? Do you need to get cyber insurance? Read our previous article on "The Surge of Cyber Insurance: What You Need to Know as a CISO to Choose Wisely [Part 1]"