Cyber Insurance by no means replaces adequate information security practices.
To begin with, the insurable limit is often inferior to the overall cost of an incident. For example, Target had $100M in cyber insurance coverage (with a $10M deductible), but the cost of the 2013 data breach reached more than three times this coverage limit. As a matter of fact, the maximum that an organization is likely to acquire is in the $300M range, using multiple underwriters.
Thus, most insurers will require some level of security as a precondition of coverage, and in line with traditional insurance coverage models, companies adopting better security practices will receive lower insurance rates. With that in mind, premiums may range from $10,000 for small organizations with revenues of $100,000 to $500,000, to over $100,000 for businesses with revenues in the millions.
So what can you do, as a security expert within your organization, to reduce the cost of these premiums?
These 3 questions proposed by NetworkWorld can help you to seize all of the possible ways to reduce your premiums:
Many insurers will offer discount for Managed Security Services.
“Be proactive: Companies that produce independent evidence of industry standards will generally receive much better insurance rates on their cyber insurance program”.
This can be done through security assessments, such as cybersecurity posture assessments, risk assessments, or vulnerability assessments, provided by trustworthy security companies.
Your insurance company knows these facts. If you want to lower your premium, it’s not enough to have policies on papers, they must be implemented and followed by employees.
Related post: Key Roles and Responsibilities for your Incident Response Team
Having response capabilities and an effective incident response policy will, therefore, decrease your premiums.
The most effective way to purchase cybersecurity insurance is after you’ve created and implemented an information security policy and an incident response plan. After this exercise, you will be prepared to understand what your insurance needs are and how you can lower your rates based on the stated practices.
Also, consider the other benefits that your insurance company can offer if in-house and outsourced resources, such as credit monitoring services and post-breach counseling are incorporated in the security program.
The good news is that, for many commentators, insurance companies drive overall better cybersecurity by imposing requirements that are reactive to new threats, and therefore reducing the risks associated with externalities for all organizations.
What types of risks are covered by cyber insurance? What kind of coverage to get with which insurance? Do you need to get cyber insurance? Read our previous article on "The Surge of Cyber Insurance: What You Need to Know as a CISO to Choose Wisely [Part 1]"