Are you getting ready to renew your cyber insurance policy? In our ever-changing cybersecurity landscape, it’s a must-have for any service provider. But with so many requirements and details, it can be challenging to effectively stay on top of what you need to renew your cyber insurance in 2023 and beyond.
Fear not – we’ve got the answers. Today, we outline the top three elements you need to have in place before approving a renewal… as well as the two key factors many forget during the process. Read on for insider tips guaranteeing that every part of your policy is renewed without a hitch.
Regarding cyber insurance and why you need it, newer businesses may undervalue what it provides. With over 33 billion records estimated to be stolen by the end of 2023 alone, service providers need quality cyber insurance to protect their businesses against the liability of cybersecurity risks and data breaches.
Cybersecurity insurance works to help restore breached employee or customer identities, recover compromised data, and repair damaged business-related devices. Across North America, this type of business liability insurance generally covers IT forensic investigation, credit monitoring for security-breached individuals, regulatory fines, class action lawsuits that may result from the breach, and more.
With an avalanche of businesses continuing to move to entirely remote working in the wake of the COVID-19 pandemic, companies are more at risk of system breaches than ever before… and that risk level will only continue to increase over time. On top of opening yourselves up to potentially significant financial losses, those without cybersecurity insurance also risk losses in public trust and damaged brand authority.
Before we move on to the top requirements for cyber insurance renewal, let’s first cover the common frequently asked questions and misconceptions surrounding it.
“Do small-to-medium-sized businesses need cybersecurity insurance?”
Yes. 60% of SMBs go out of business within six months of falling prey to a cyberattack, making cyber insurance a necessity.
“The industry I’m in is at less risk of cybercrime, so I don’t need to renew my cyber insurance."
No industry is immune from the threat of cybercrime. At Packetlabs, we frequently offer 360-degree penetration testing services to retail, e-commerce, healthcare, government, technology, utilities, energy, finance, and education.
“Are data breaches already covered under general liability insurance?”
General liability insurers do not cover data breaches. This means that cyber insurance is a requirement if businesses want to recoup any financial losses caused by cyberattacks.
Now that we’ve dispelled common myths and queries, it’s time to move on to everything you need to know about renewing your cyber insurance.
With premiums seeing a dramatic increase for most companies–with some going up by as much as 50%– it’s essential that your cyber insurance policy coverage limits are thoroughly reviewed before renewal.
Higher deductibles, ransomware-related coverage limits, and coinsurance changes should all be factored in when weighing up whether to renew your plan or change policies.
Since the cyber insurance market is course-correcting after large-scale incident payouts in previous years, insurers want organizations to demonstrate consistency and dedication to their year-round security efforts. Meaning? A questionnaire prepped one month ahead is no longer impressing cyber insurers: a comprehensive cybersecurity program is the only way to keep prices down while maintaining a solid security posture.
With some carriers no longer offering to renew policies, this dedication may even be the difference between having insurance and not.
Packetlabs is a North American SOC 2 Type II certified penetration testing company that partners with organizations like yours to safeguard digital spaces. As such, we see first-hand the importance of enforcing iron-clad cybersecurity year-round.
First founded in 2002, we at Packetlabs have built our reputation on going beyond the standard pentest: instead, we deliver 360-degree solutions, 95% manual testing, and a 100% commitment to actionable results.
That means no more late-night phone calls after a security breach, no more breaking the news to customers after a ransomware attack, and no more using holiday time to enact damage control efforts. It also means ensuring you have the best cyber insurance renewal options.
By partnering with a Pen Testing as a Service company like Packetlabs, you demonstrate to insurers that you know how worthwhile an investment security is–and that they won’t be risking their funds to keep you and your assets protected.
When partnering with a PTaaS vendor like Packetlabs, they can work with your team to establish a cybersecurity checklist before renewal season.
Typical checkboxes include, but are not limited to:
Engaging with key stakeholders across the organization to facilitate buy-in, insights, and security-related priorities
Conducting in-depth objective-based penetration testing to simulate real-world attacks
Selecting a cybersecurity framework and building on it year-by-year in order to demonstrate year-over-year progress to insurers
Establishing a steady cadence of real-time, actionable reports
Auditing continuously to ensure compliance with up-to-date security standards for your industry
Reviewing internal compliance among team members and other key stakeholders
At Packetlabs, our global team of ethical hackers works around the clock to unveil vulnerabilities that haven’t even showcased themselves yet–and keep your team informed on the most effective way to eliminate the threats that are sure to come knocking.
These measures bolster your chances of successfully renewing your cyber insurance policy and significantly mitigate cyberattacks you may face in the meantime.
Did you know that you must have specific security measures in place to be considered for a cybersecurity insurance policy?
These requirements are:
Multi-Factor Authentication (MFA): Multi-factor authentication across all insured resources is required to mitigate the risk of stolen credentials
Ongoing Testing of Your Systems: To ensure that security is in place, insurers will need to see that you have periodically and continuously had all systems tested
Cybersecurity Awareness Training: Cybersecurity awareness training is crucial, as it acts as the first line of defence against common cybercrime tactics like phishing and social engineering
Data Backups: Backups of your data will need to be proven to show that you can recover from a ransomware attack without needing to pay said ransom
VPNs (Virtual Private Networks): VPNs need to be installed on all remote desktop services, which guarantees that your IT infrastructure is encrypted
Third-Party Vendor Audits: Audits of third-party vendors are required to determine the level of access they may have to your systems, data, and general business-related assets
Endpoint Detection and Response (EDR) Antivirus Software: EDR antivirus software is a requirement and needs to be installed on all connected business devices
Last but certainly not least, being proactive and informed during cyber insurance renewal season is vital.
This can be accomplished by working with your broker to determine the best way to pass on cybersecurity-related information (for example, do they want filled-out reports or questionnaires, or would they prefer cross-functional meetings with your CISO and other key stakeholders?) and providing all available information regarding recent remediations upfront.
Be eagle-eyed about underwriters changing coverage terms and notification requirements, as insurers adjust these frequently. Before renewing, you should know what kinds of events require notice and clearly understand the terms laid out in your contract–since there is no standardization across cyber insurance policies, note that many different policies exist. Language can be clarified with your insurer during the meeting.
Bookmark this blog to have the following questions on hand for your upcoming insurance renewal:
“What are the minimum security requirements expected under this policy?"
Often, policies will mandate minimum security requirements that must be met before any coverage is offered. If you are in doubt that your minimum security requirements may not be being met, we advise you to invest in application security testing.
“What measures can I put in place to reduce my premium?”
Consistent penetration testing and utilizing PTaaS as your reporting and communication will work towards lowering your premiums, as it can be easily proven that your processes are efficient and streamlined.
“What are the audit and compliance obligations under this policy?”
The bulk of cybersecurity insurance policies will require regular audits and in-depth compliance reporting. This is to ensure that the policy remains current. As such, it’s non-negotiable that your security team fully understands and plans for these audits since a failure to meet their standards may nullify your contract.
“What is the minimum downtime after an attack before the policy will respond?”
Since breaches happen in the blink of an eye, we do not recommend investing in policies that respond after a minimum downtime period. Instead, opt for renewing policies that offer immediate assistance–rather than making you wait 12 (or even 24!) hours after an incident occurs.
“How well does this policy fit our organization’s existing insurance?”
Noting any gaps between policies is essential to protect your assets from being exposed. Overlaps in policies may also incur wasted funds.
“How will a security breach impact my premiums?”
Depending on your policy, a security breach may trigger additional obligations or a reduction in future premiums. Clarify with your insurer what a breach means in the context of your specific policy.
“How quickly do I need to report a breach for it to be covered by cyber insurance?”
Sometimes, breaches take months–or years–to be uncovered, especially if the business didn’t have comprehensive cybersecurity in place years prior.
Due to these wait times, some “sleeper events” may not be covered. Specify with your insurer how long their grace period is for reporting… and continue working with ethical hacking teams to guarantee that these incidents are caught before they occur.
“What regions or territories does this insurance cover?”
Because insurers do not generally extend coverage past specified regions, you will need to clarify what areas are covered. This is especially important if you have global team members or clientele.
Most cyber insurance providers require a detailed cybersecurity assessment before approving both new applications and renewals. This ensures that organizations are implementing best practices to reduce their vulnerability, versus simply relying on insurance to cover their potential losses. Manual threat assessments, up-to-date employee education, cloud penetration testing, and more all work to mitigate both your vulnerabilities and your insurance premiums.
Ready to make your cyber insurance renewals work for you? Get a free quote today.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.