Cyber insurance needs an industry-wide standard

Cyber insurance needs an industry-wide security standard

Image by rawpixel.com via Freepik

Cyberattacks reached unprecedented levels in 2021, increasing 105% according to one report. No industry is immune to their impact, with supply chains, healthcare organizations and service providers all having been recently impacted by attacks.

With more and more companies realizing they need a better way to manage costs, protect themselves against cyberattacks and recover if needed, the popularity of cyber insurance has exploded. Unlike traditional insurance policies, cyber insurance protects companies from data breaches, cyberattacks like breaches, and terrorist acts, among other events.

While these policies have proven popular for insurance providers, the industry is not without its growing pains. In 2021, the average ransomware payment rose 78%, reaching $541,010, while the average ransomware demand grew 144% to $2.2 million. This demand has caused the supply of cyber insurance offerings to dwindle as providers look to make up for these losses or refuse to enter the market altogether.

In fact, cyber insurance premiums were up 92% YoY in 2021, leaving companies vulnerable to potentially catastrophic cyber emergencies. With premiums expected to stay high and criteria becoming stricter, the time is now for an industry-standard detailing what companies need to do to be insured.

An industry-wide cyber insurance standard will ensure that companies can protect themselves against cyberattacks. One simple way of doing this is to adopt a standard framework, like NIST-CSF. Frameworks like NIST-CF provide a template for best practices, requiring companies to continuously update and verify their systems, which ensures that they will always be properly equipped to manage cyber risk.

While every organization is different in terms of risk, a standardized framework makes it easier for companies to ensure their networks are secure. As a baseline framework, NIST-CF is more easily attainable than other complex frameworks. Having this as an industry standard means that those who need insurance can get it or take the steps required to get it without sacrificing the necessary safeguards to interact in today’s cyber environment.

Having a requirement for cyber insurance will also force complacent companies to act. Even in today’s environment of constant attacks, some organizations refuse to make the necessary investments to protect themselves. Mandating cyber insurance will require these organizations to at least have a solid baseline of security controls to improve overall cyber hygiene. These late adopters represent sustained risk which affects the verticals and taxonomies they represent.

An industry-standard framework will help alleviate some of this risk as it provides a standard framework for insurance providers to use when evaluating potential customers. By having a baseline checklist that users need to reach before applying for a policy, insurance providers would gain an understanding of a company’s current cybersecurity structure and would know that an organization is protected from certain risks. This would also help speed up the onboarding process, allowing companies to gain insurance quicker.

While some attacks are unavoidable, having an industry-wide framework in place would help solve some of the industry’s current issues and generate more opportunities for organizations to protect their assets.

As the cyber insurance industry continues to evolve, an industry-standard framework will serve as a critical guiding light for companies and insurance providers. It provides clear guidelines of what companies need to do to be insured and serves as a checklist for insurance providers to evaluate potential customers.

In turn, this will help lessen the impact of cyberattacks and create a more sustainable insurance marketplace for providers.

Dave Trader is a Field CISO at Presidio and has over 20 years of cybersecurity experience. Prior to Presidio, Dave was a CISO for 7 years at a technology company, and most recently a graduate of the FBI CISO academy out of Quantico. He also has over 70 certifications, including CISSP, CISM, and is a certified Ethical Hacker.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.

ON DEMAND: Apple Mac computer use is growing in the corporate space. Having the solutions and the knowledge base to respond to events that include Mac computers is just as important as their Windows counterparts.