A new voice has been added to those requesting facilities take action on cybersecurity issues: cybersecurity insurance companies. The demands made by attackers during an active attack, such as ransoms, and the costs associated with restoring functionality after an event have reached amounts that necessitate organizations to carry cybersecurity insurance, also called cyber liability insurance or cyber insurance, to stay in business.
Why is Cyber Insurance Needed?
A study by the Ponemon Institute found that an operational technology (OT) cybersecurity attack costs businesses approximately $3 million. Other studies have found similar numbers, yet the much harder areas to calculate, such as business reputation and client trust, are typically not factored into these estimates. With such significant costs, organizations must develop a strategy to address what to do when a cybersecurity incident occurs. Part of that strategy should include cyber insurance.
What Impacts My Ability to Get Coverage?
Cyber insurance companies will request information and evidence from prospective clients to understand the organization’s risk and assess its cybersecurity posture. Expect to provide evidence of activities such as an endpoint security strategy, strong identity, access control policies and procedures, and robust documentation and controls related to your organization’s networks. If materials are missing or inadequate, it indicates potential risk areas, which may contribute to a more costly recovery from a cybersecurity incident. Your organization may be expected or required to address specific issues or outages identified by the insurance company before you are allowed to be covered by a policy.
What Is Involved in Getting Cyber Insurance?
Organizations looking into cyber insurance and preparing to shop for policies can take several actions in advance to make the experience more pleasant and efficient. You should be able to identify and work towards resolving issues or gaps in your cybersecurity posture before engaging with insurance companies. A cybersecurity assessment performed by a third party or even an internal group is an excellent way to evaluate your current status against an industry-standard benchmark or baseline.
Understanding the amount of coverage necessary for your organization to recover from an incident is an important exercise that should include members of accounting, leadership, operations, and any IT or OT teams. Identifying the losses per hour of a line, department, or entire site and the likelihood of those types of outages occurring within a year will help your organization better understand the coverage you need. It will also help you develop reasonable budgets for mitigating the risks which can lead to outages. Mitigation activities such as implementing new technologies, processes, or other resources may be more than your organization is capable of handling itself, so working with a trusted partner may be a sound approach for getting over the larger hurdles associated with upfront implementation compared to the lower efforts associated with sustaining or maintaining an already implemented solution.
Preparing your organization to work with a cyber insurance company is an excellent opportunity to learn more about your cybersecurity posture, identify areas that need additional support, and observe where you are meeting or exceeding expectations. By conducting a thorough assessment of your organization’s digital systems, documentation, and resources, you can lower risk while also increasing the capabilities of the environment through strategic upgrades or enhancement projects.
Why Should I Consider Getting Help?
Whether you are fully insured for a cybersecurity incident or just starting to think about your exposure and what to do about it, it is important to look for a trusted partner who can help you understand and navigate challenging cybersecurity projects and concepts. Working with an experienced provider will help save time and avoid common mistakes as you seek cyber insurance to protect your organization.
Alan Raveling, OT Architect
This blog was originally published in the Current Connections Winter 2023 issue.