Small and medium businesses (SMBs) are facing a reckoning now: their insurance companies are forcing them to get proper security measures in place or they risk not being insured. But how did it come to this?
Over the years, cybersecurity insurance has paid out billions in claims from malware and other attacks bringing businesses to their knees. As these attacks became more frequent and more targeted, it became costlier and more likely that insurance companies would have to pay out claims because companies were, and always will be, vulnerable to attack. And yet, insurance companies don鈥檛 want to shell out millions of dollars when their clients might have only paid them thousands of dollars鈥攊t鈥檚 just not profitable.
In response, insurance companies have introduced a few tools to lower their risk of paying out on losses due to cybersecurity incidents. And some of these tools have affected the way the industry couples cybersecurity and insurance.
One way insurance companies reduce risk is by writing policies at scale. If you have a small percentage of claims filed among millions of policies, then any losses are shared across the whole business unit.
For a long time, it seemed like insurance would just pay out every incident. When I worked at Datto, instead of end users wanting to use a backup solution some said that their recovery process was just to get paid out from their insurance and that was good enough for them after a ransomware event. That is a pretty extreme case but those companies used and misused insurance as a crutch and so insurance companies had to reduce their risk further.
Enter risk reducer number two: enforce cybersecurity standards. We have talked to countless service providers and IT teams, and many are being instructed by their insurance companies to adopt some level of security stack.聽
At a high level, the thought makes sense. And it鈥檚 a thought that we at 杏吧传媒 have been shouting from the rooftops for ages. The more layers of security you add, the less likely you are to have an incident. But then that brings us to our next looming question鈥
The truth is that most don鈥檛. This is because there isn鈥檛 a lot of data out in the world for insurance companies to comb through. Companies hide if they have been breached and for how much, and there are new terms and procedures in cybersecurity all the time.
Brokers get dictated to by their carriers, then the carriers need to run through a form and check off what a company does to protect themselves. Based on those answers, the carriers will say if they want to insure the company or not and by how much.聽
But herein lies the problem, there is a lack of universal cybersecurity standards and practices鈥攊t mostly comes down to the thought that the more security controls in place and money spent for those controls, the more secure the company and the less the cost of the policy. This is true of the cybersecurity industry as a whole.
Insurance carriers usually have something called an attestation document. It鈥檚 the document that insurance uses to verify that proper processes and policies were followed after an incident. If all was true and in place, the company gets paid out from the policy. If the insurance company reviews the attestation after the incident and finds that something was not fully in compliance with what was said on the attestation, then it鈥檚 likely the company that had the incident won鈥檛 be reimbursed with all the out of pocket expenses that they might have incurred during the incident.聽
For cybersecurity, the attestation document usually includes a series of questions like:
As you can tell, some of these questions are very general. Sometimes they get a bit more direct, but oftentimes they鈥檙e just plain old confusing, like:
These questions are pretty nebulous and usually require more clarification because it's a risk for the IT professional if these aren鈥檛 adhered to.
The ultimate goal is to make sure that insurance companies run through their due diligence to insure companies that reduce their exposure to within tolerable levels. If you can prove that based on the controls in place, then the insurance company should insure you.
Absolutely there will be. The US government has even released its recommendations with levels on what vendors working with the government should be adhering to with their security controls. It鈥檚 covered in five levels, with a five being the highest amount of security controls.聽
If it hasn鈥檛 started already, it鈥檚 likely that more insurance providers will start for companies they are looking to insure.
Well, until there is more definition as to what specifics are needed by insurance, it鈥檚 important to not just look at what security boxes need to be checked, but how and why you should check those boxes.聽
A great place to start is by reviewing and the 鈥攂oth of which were the basis for the CMMC recommendations.聽
From there, you can figure out the holes that need to be plugged. Spoiler alert: usually preventive technology isn鈥檛 the real issue. Detection and response are often the most critical layers that businesses are missing. And in the eyes of insurance, having EDR, MDR, or some type of detection and response capabilities listed on the attestation doc will help you answer 鈥測es鈥 when they come asking their list of questions.聽
Get insider access to 杏吧传媒 tradecraft, killer events, and the freshest blog updates.
