Over my past three blog posts, I’ve talked about cyber insurance. The first one covered the topics of what it is and do you need it. The second post discussed what you need to have or know before you make the call to your agent to get a quote. My third post examined in detail what type of questions you’ll be asked and who else besides the information technology group has to be involved in order to answer the questions from the insurance carrier.
Now let’s talk about what to do if you can’t buy insurance, either because the premium is too high or no insurance carrier will cover you. Unfortunately, these days insurance carriers are denying coverage more often due to the very high probability that your company will be attacked and compromised. You want to prepare yourself for that possibility.
In this blog, I’ll cover your options if you are denied. Part one will address the reasons why the insurance company won’t cover you and what you can do to fix those issues. The second part will cover what you can do instead.
Insurance companies typically deny cyber insurance because they think you are too risky. Just like a 16-year-old who just got their drivers license is very risky for a car insurance company, your company or organization can be viewed as too risky if you don’t have good cybersecurity practices in place.
First, you should try to find out why you were denied. It’s likely that the insurance carrier won’t tell you why, you’ll just be denied. To find out, take a look at the questions in Cyber insurance, part 2: The insurance company questionnaire and also in Cyber Insurance, part 3: Filling out the questionnaire. When you answer the questions in those two blogs, the areas you need to improve will likely stand out.
But what to do?
More often than not, the problem that is preventing you from qualifying for insurance can be resolved by adopting an information security framework like the NIST Cyber Security Framework or CIS Controls. A framework helps you standardize what you are doing to protect your data, assets, and systems from threats. You can adopt either of these frameworks at no cost to you, other than your time and effort.
Something else you can do that doesn’t cost anything other than time but will help improve your security posture is answering these five questions from Justin Hall. After you answer those question you can take these five steps to make your environment safer.
Second, what can you do instead of buying insurance?
Something to consider if you can’t buy insurance is establishing “self-insurance” against a ransomware attack or other cyber incident. Your comptroller or CFO might like this idea. If you take the money equivalent to an annual insurance premium and invest that in your information security program, you can make your environment more secure.
Imagine this scenario:
The insurance premium for a small company (100 employees or less) can range anywhere from $15,000 to $25,000 a year for a $1,000,000 policy. Take that money and implement some of the basic security controls in NIST or CIS and you’ve improved your information security program right away. Strategically do that each year for five years and you will then have a much more secure environment that is resistant to cyber attacks.
Another option is to purchase incident response services in case you have a cyber incident. In this case you are purchasing re-active services when something bad happens. It’s not as good as preventing the incident, but you get help recovering from the crisis.
A third and final option would be to purchase a scaled down or limited form of insurance that will help you with recovery from an incident but not provide the payout of the ransom. The following services are not insurance but are services you should consider purchasing:
These are just a few of the steps you can take in case you can’t purchase cyber insurance at a price you can afford. One other action to consider is partnering with an expert vendor that specializes in information security and helping companies establish and strengthen their cybersecurity programs. Contact our security team today to get your security program on the road to insurability.
In my next blog, I’ll talk about what we can expect on the cybersecurity front in 2022.
Read the cyber insurance series from John Bruggeman:
Catch up with these tools for your cybersecurity toolbox from CBTS Consulting CISO John Bruggeman: