Hitachi Group Global Network




Middle East and Africa



The Surge of Cyber Insurance: How to Reduce your Cyber Insurance Premium with Information Security Controls? [Part 2]
You are here: Home \ Cyber Law \ The Surge of Cyber Insurance: How to Reduce your Cyber Insurance Premium with Information Security Controls? [Part 2]
How to Reduce Your Cyber Insurance Premium
Posted on Wednesday, January 11th, 2017 by

Cyber Insurance by no means replaces adequate information security practices.

To begin with, the insurable limit is often inferior to the overall cost of an incident. For example, Target had $100M in cyber insurance coverage (with a $10M deductible), but the cost of the 2013 data breach reached more than three times this coverage limit. As a matter of fact, the maximum that an organization is likely to acquire is in the $300M range, using multiple underwriters.

Thus, most insurers will require some level of security as a precondition of coverage, and in line with traditional insurance coverage models, companies adopting better security practices will receive lower insurance rates. With that in mind, premiums may range from $10,000 for small organizations with revenues of $100,000 to $500,000, to over $100,000 for businesses with revenues in the millions.

So what can you do, as a security expert within your organization, to reduce the cost of these premiums?


 Understand the possible discounts by asking the right questions

These 3 questions proposed by NetworkWorld can help you to seize all of the possible ways to reduce your premiums:

  1. Are discounts available if we are using specific trusted services for business applications?
  2. Are discounts available if we meet standards related to data security and protection?
  3. Are discounts available if we have third party certification of our security processes and protocols?

Many insurers will offer discount for Managed Security Services.


4 practices that can definitely reduce the cost of your premiums


  1. Password Management and access controls
  • Install the latest security software and patch all updates (this is a requirement in some insurance policies).
  • Establish password management procedures and controls to manage the access and permissions of your employees.
  • Strong authentication systems can contribute to lower insurance premiums.


  1. Compliance with industry standards proven by technical testing
  • Michel Loeters, VP at BFL Risk and Insurance Services, said the following:

“Be proactive: Companies that produce independent evidence of industry standards will generally receive much better insurance rates on their cyber insurance program”.

This can be done through security assessments, such as cybersecurity posture assessments, risk assessments, or vulnerability assessments, provided by trustworthy security companies.


  1. Employee training

Your insurance company knows these facts. If you want to lower your premium, it’s not enough to have policies on papers, they must be implemented and followed by employees.


  1. Establish and enforce an incident response policy
  • According to the Ponemon study, a key cost-reduction factor includes having an incident response team in place prior to a breach, along with employee training. Precisely, having an incident response team to execute the plan reduced the cost of a breach from an average of $217 per compromised record to $193.

Related post: Key Roles and Responsibilities for your Incident Response Team


Having response capabilities and an effective incident response policy will, therefore, decrease your premiums.


Smart Cybersecurity Insurance Purchase

The most effective way to purchase cybersecurity insurance is after you’ve created and implemented an information security policy and an incident response plan. After this exercise, you will be prepared to understand what your insurance needs are and how you can lower your rates based on the stated practices.

Also, consider the other benefits that your insurance company can offer if in-house and outsourced resources, such as credit monitoring services and post-breach counseling are incorporated in the security program.

The good news is that, for many commentators, insurance companies drive overall better cybersecurity by imposing requirements that are reactive to new threats, and therefore reducing the risks associated with externalities for all organizations.

What types of risks are covered by cyber insurance? What kind of coverage to get with which insurance? Do you need to get cyber insurance? Read our previous article on “The Surge of Cyber Insurance: What You Need to Know as a CISO to Choose Wisely [Part 1]


Vanessa Henri
About author:
Vanessa is an academic and legal expert on data protection laws, as well as a certified data protection officer. Currently, Vanessa is Hitachi Systems Security’s Director of Compliance and Privacy. She oversees the performance of privacy advisory services by Hitachi Systems Security to its clientele, including services such as GDPR Posture Assessments. She advises boards of directors at the macro-strategic level on the implementation of privacy obligations through efficient reporting systems. She has published a variety of data privacy-related materials and has contributed as a speaker to various conferences about data protection laws, such as Code Blue, in Tokyo. Vanessa is a member of the Quebec Bar Association, and holds a master’s in laws from McGill University. She also teaches corporate cybersecurity practices at St Thomas University, in Miami, Florida. She is a certified Data Protection Officer.

Latest Webinars | Watch Now

Cybersecurity, Cyber Crime and Your Business — How to Strengthen Your Cybersecurity Posture – In collaboration with Cytelligence

Watch Now

Cybersecurity 101 for Credit Unions – In collaboration with the Caribbean Confederation of Credit Unions (CCCU)

Watch Now

Introduction to Technical Security Testing for Credit Unions – In collaboration with the Caribbean Confederation of Credit Unions (CCCU)

Watch Now