With an ever-increasing onslaught of sophisticated cyberattacks, companies are increasingly turning to cyber insurance to protect themselves from losses in case it becomes their turn to be breached. In fact, the global market for cybersecurity insurance is projected to grow from $11.9 billion in 2022 to $29.2 billion by 2027. However, that growth does have a downside – cyber insurance premiums skyrocketed by 50% last year.
This growing price tag will make cybersecurity insurance a difficult sell to CEOs and boards, given 2025 has already seen much belt-tightening and hesitance to invest in new programs.
Unfortunately, there are no coupons to clip or membership discounts when it comes to enterprise solutions and services. CISOs eager to give their organization a new line of protection will need to do their homework. Luckily, there are best practices to increase companies’ cyber resilience stances to make a company more attractive to providers. (However, please note this is not a guarantee of coverage or a lower premium.)
Determining How Much Coverage to Get
The first step in saving is to avoid overpaying, so CISOs should be sure to understand how much coverage they’ll need. Cyber insurance typically covers lost income from a digital attack but may also cover unforeseen expenses in both best- and worst-case scenarios. These can include forensic post-breach reviews, public relations/crisis communications retainers, court-ordered judgments and litigation fees, and accounting expenses. They may also cover ransom payments. However, according to expert guidance, it is never advisable or prudent to pay the ransom, even if it’s covered by insurance. Before reaching out to providers, CISOs should determine what additional expenses they’re likely to incur in the event of a breach.
CISOs will also need to choose between first-party coverage, third-party coverage, or both, depending on how substantial a digital attack’s losses could be to the organization:
- First-party coverage protects a company’s data and includes coverage for business expenses related to recovering lost or stolen data, lost revenue due to business interruption, legal counsel, and other types of expenses.
- Third-party coverage protects companies from liability claims brought by someone outside the company. This type of policy might cover things like payments to consumers affected by a data breach, costs for litigation brought by third parties, and losses related to defamation.
General Best Practices for Cyber Insurance Readiness
Cybersecurity insurance providers often use a questionnaire and assessment period to understand how prepared an applicant is to detect, limit, or prevent a cyber attack. Meeting the criteria means an organization is more likely to receive a lower premium via a solid security infrastructure and disaster recovery procedures. Though each provider has unique requirements, these are the typical best practices they’ll often look for:
- A business continuity/disaster recovery plan that includes a formal incident response plan is in place, and a designated role, group, or outside vendor is responsible for information security.
- There is a written information security policy, and every employee must complete mandatory social engineering/phishing training.
- The company deploys common security measures such as spam and phishing email filters, antivirus software and firewalls and encrypted company devices.
- Two-factor authentication (2FA) is required for email, remote access to the network, access to cloud storage and applications, and privileged user accounts.
- IT/security teams monitor the network in real time, along with an endpoint detection and response system in place.
- Bringing in independent security experts for an unbiased risk assessment ahead of the provider’s own team for a clearer understanding of where improvements could be made.
Improving Data Backup Strategies
With the increasing rise of ransomware attacks threatening to hold valuable data hostage, organizations should pay especially close attention to their data backup strategies. That can mitigate the damage from an attack and, therefore, potentially reduce insurance liability. CISOs should look to update company policies with the following best practices:
- The 3-2-1 backup strategy: having at least three copies of company data, on two different types of media (for example, one copy stored on NAS and one copy stored on LTO or in the cloud), and at least one copy off-site. Ideally, one of those copies will be physically or virtually air-gapped to protect the most valuable data.
- Note: Even if a backup is off-site, insurance providers may not consider this secure enough if the off-site copy is in the same geographic region or held at a company’s own data center. This is why storing at least one copy of your data with a cloud storage provider may support eligibility requirements.
- Encrypting data stored on-premise, in the cloud, and while in transit, along with 2FA required for access to the cloud storage account.
- Frequent back-ups utilizing the Grandfather-Father-Son strategy — varying full and incremental backups on a monthly, daily, and hourly schedule.
- Utilizing Object Lock solutions on stored data so attackers can’t delete it in the case of a breach. Object Lock functionality for backups allows you to store objects using a Write Once, Read Many (WORM) model, meaning after it’s written, data cannot be modified. Using Object Lock, no one can encrypt, tamper with, or delete your protected data for a specified period of time, creating a solid line of defense against ransomware attacks.
Cyber Insurance Best Practices Are Good for Security
Cyber insurance provides peace of mind – when a company is faced with a digital incident, it will have access to resources with which to recover. And there is no question that by increasing cybersecurity resilience, CISOs are more likely to find an insurer with the best coverage at the right price, which is sure to make their CFO partners happy.
