Cyberattacks continue to increase in frequency and sophistication, often outpacing efforts to combat them. Despite growing investments in security tools and employee training, the vast majority of organizations experience one or more security incidents every year, and the costs of those incidents are increasing.
According to the Identity Theft Resource Center, 81 percent of smaller organizations fell victim to a cyberattack, data breach or both between August 2023 and August 2024. Of those, 76 percent were attacked more than once. More than a third (38 percent) suffered financial losses of $500,000 or more.
Naturally, many organizations are buying cyber insurance policies to offset some of the risk. A Sophos study found that 55 percent of organizations with 100 to 500 employees have a standalone cyber insurance policy. Another 39 percent have cyber liability coverage included in other insurance policies. Awareness of the business impact of security incidents is the primary driver of cyber insurance purchases.
The Challenge of Getting the Right Coverage
However, organizations aren’t always getting the cyber insurance coverage they need. Part of the problem is that IT leaders are not certain what their policies cover. They may think the policy covers extortion payments or loss of revenue when it doesn’t, leading to a false sense of security. In many cases, cyber insurance policies are purchased without the input of the IT leaders who would have greater insight into what types of coverages best fit the organization’s risk profile.
Another problem is that the total cost of a security incident is rising faster than insurance coverage. The Sophos study found that insurers typically paid about two-thirds of the total incident cost. The most common reason for partial payment was that the total cost exceeded policy limits.
Cyber insurance is also becoming more difficult to obtain. Insurers are requiring that organizations implement a range of security controls in order to obtain and retain coverage. Almost all organizations buying cyber insurance have made security investments to qualify for coverage, get better pricing or get better policy terms.
Common Cyber Insurance Policy Requirements
Most insurers will conduct an assessment to determine whether an organization qualifies for coverage, what coverage they’ll offer and how much the premiums will be. In many cases, insurers will require an organization to answer a questionnaire. Occasionally, they may require a third-party audit. Organizations seeking coverage should prepare to meet the insurer’s requirements.
Almost all insurers require basic network security controls, such as a firewall and intrusion detection and prevention system, and regular audits of those controls. Other common requirements include multifactor authentication to reduce the risk of account takeovers and unauthorized access and encryption to protect sensitive data.
Most insurers also require an incident response plan that documents the steps the organization will take when a cyberattack occurs. A well-documented incident response plan is proven to accelerate response and reduce the impact of a cyberattack. The insurer may require that the plan be tested and updated regularly.
Benefits Extend Beyond Cyber Insurance
Another common requirement is security awareness training. Insurers look for a high-quality training program that is offered at regular intervals. Most cyberattacks begin with social engineering, so educating users creates a “human firewall” that reduces risks.
All of these requirements align with cybersecurity and risk management best practices. Organizations that make investments in these controls improve their security posture and reduce the likelihood that they’ll need to file a cyber insurance claim.
Complying with cyber insurance requirements isn’t easy, and assessment questionnaires can be lengthy and confusing. The Verteks team is here to help you answer the questions and implement the security controls need to get you a good policy at a good rate.
