Cybersecurity Insurance: Once Optional, Now Essential

For business leaders, the rules have changed: Cybersecurity insurance can no longer be thought of solely as an “IT responsibility”.

Joe Oleksak, Partner, Cybersecurity Practice

December 1, 2023

4 Min Read
Egor Kotenko via Alamy Stock

Two universal truths have emerged for business and IT leaders across industries. First is that the role of IT is shaped by business need and organizational strategy. To stay ahead, organizations must adapt to secure data and systems in alignment with the fast-paced evolution of technology influenced by the business. Unfortunately, business leaders typically prioritize functionality and efficiency in a vacuum, not understanding the implications of security before moving forward. Consequently, they may rely on cybersecurity insurance as a fallback without fully realizing the potential risks involved.

Second, cybersecurity insurance is changing just as rapidly. Traditionally, it served as a safety net, allowing business leaders to rest easy. However, it is now clearly awakening them with cybersecurity premiums doubling, tripling and even quadrupling.

The stakes are high, whether it is the Joint Commission warning hospitals to plan to be down for a month or more following an attack, or the startling number of organizations that go out of business after a breach. Underwriters have recognized the trends and are adjusting for risk more appropriately. To secure the most affordable policy and premium pricing, it’s crucial for business leaders to make sure their house is in order.

Mitigating Risks and Costs

The cumulative impact of these “truths” is immediate and significant. That is why it has never been more important for business and IT leaders to take a (combined) fresh look at their cybersecurity processes and practices, and to contemplate several initial actions when considering their strategy for cybersecurity insurance:

  • Conduct a business impact analysis (BIA). It is imperative to understand the risks you face and quantify the impact various cyberattacks could have on the resiliency of the business. Ideally, the business impact analysis is governed by senior-leadership and includes representatives from IT, operations, finance, compliance, legal, human resources, marketing, public relations, any other key business unit leaders, and the board. This analysis effectively weighs the merits of different approaches to cybersecurity insurance.

  • Closely review cybersecurity insurance policies. In the face of cyber risks that can shutter otherwise healthy companies, underwriters are adding addendums and dependent clauses that policy holders must comply with. Far too many businesses find out after an attack that they didn’t satisfy the requirements of the insurance company’s contract and are on their own. Make sure to also look for more stringent rules on how quickly a breach must be reported. This is where organizational collaboration is required, as a CFO, a CIO, and legal counsel may evaluate insurance policies through different lenses.

  • Talk with a broker. It is important to stay informed of new cybersecurity options. Enterprises should also explore the merits of various approaches. For example, it is worth considering a hybrid approach in which your budget is strategically divided, with some spend invested into commercial insurance and some reserved for self-insurance. When purchasing a policy make sure to get several estimates. There is significant variability across plans and payers.

  • Make sure to baseline with standards and hold your vendors accountable (as well). Proactively implementing a control environment in line with industry accepted standards can significantly reduce your premiums. For those in regulated industries, it is imperative to remain in compliance with new and evolving regulations, for example the Securities and Exchange Commission’s rules finalized this summer. Business leaders in non-regulated industries should absolutely make sure they are meeting baseline standards like ISO 2700, NIST-CSF, SOC, HiTRUST, or PCI-DSS. While not bulletproof alone, in the face of them, attackers will often move on to less protected targets. This is why it is important that any vendors connected to your network should also be vetted to ensure they meet these fundamental standards.

  • Conduct a security assessment with a third party. We don’t know what we don’t know. Make sure to regularly get an external assessment before the insurance company’s own assessment. Insurance companies will often assess when the policy is created or when it is up for renewal. This includes looking at the security technology you have in place, privacy policies, governance, incidence response, employee training, encryption, vendor management, patch management and penetration testing to name a few. Having an annual independent assessment of your controls environment not only helps business leaders sleep at night, but it can also significantly affect premiums.

Cybersecurity insurance is unquestionably vital today, whether fully commercial, a self-insurance plan investing in cyber defenses, or a hybrid approach. It serves as a valuable tool for assessing and addressing risks beyond technology. Organizations, now more than ever, should view cyber insurance as an integral component of a holistic strategy where people and processes play a pivotal role in securing today’s interconnected networks, devices, and applications. It’s a strategic necessity, not just a business cost.

About the Author(s)

Joe Oleksak

Partner, Cybersecurity Practice, Plante Moran

Joe Oleksak CISSP, CRISP is a partner in Plante Moran’s cybersecurity practice, where he has more than two decades of experience providing companies across industries, including banking, healthcare, and insurance, with strategic guidance for IT planning and operations. His specialties include information security risk assessments, information technology audits, network security assessments and penetration testing, business continuity planning, incident response, application controls, SOC reviews, privacy audits such as HIPAA/HITECH, compliance with regulations like Sarbanes-Oxley, GLBA, and others – and standards reviews and certifications such as PCI-DSS, NIST, ISO, etc.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights