Woman interacts with data

Cybersecurity is a challenge that cannot be solved completely or simply checked off an organization’s to-do list. It is continuous work that requires a multi-faceted approach to reducing and managing any associated cyber risks.  

One approach for managing cyber risk is cyber insurance, although many organizations are now questioning the feasibility of insurance given the recent changes in the insurance market. 

Over the last 12-to-18 months, the cyber insurance market has shifted significantly. Generally, it has become more expensive to purchase cyber insurance – and those pricy premiums now offer some organizations significantly less coverage than before. In some cases, organizations are now paying multiple times more for cyber insurance than they paid in recent years, and yet they are receiving substantially less coverage. 

As for why cyber insurance is becoming pricier and providing less coverage for certain organizations, there are many factors, some of which include: 

  • Cyber criminals are becoming increasingly skilled at defeating the various protections that organizations have deployed, while also continuing to take advantage of human errors through phishing and ransomware attacks  
  • Insurance companies are facing a much higher likelihood of claims and those claims are also likely to be more costly as these cyber incidents are larger and more impactful on organizations 
  • Evaluating how well a cybersecurity program protects an organization and reduces risk is difficult to calculate and there is no universally agreed upon standard for that type of evaluation 

As such, this makes pricing cyber insurance difficult for the insurance companies. Therefore, insurers have reevaluated their risk tolerances and calculated that this increased risk means they have more potential exposure, which in turn drives the higher costs that are then passed along in the premiums. 

Many organizations feel helpless against the surging cost of cyber insurance, wondering if there is anything they can do to combat the increasing premiums and decreasing coverages. Whereas in the past, organizations were likely willing to absorb the reasonable price of cyber insurance because it was an easy cost justification, now organizations are thinking about risk management more strategically by asking the questions, “How much actual risk mitigation are we getting?” and “Is cyber insurance worth it at this price point?” 

The good news is that there are methods that organizations can employ to continue investing in their cybersecurity program. These activities should help reduce cyber risk and may even help maintain cyber insurance coverage levels from prior years or may limit the increases in premiums.  

People, processes and technology 

On a foundational level, an organization’s cybersecurity program should consist of a three-pronged strategy focused on people, processes and technology. Organizations cannot buy some fancy security tools and expect that technology to stop cyber attacks. Rather, they need to invest in all three facets for their cybersecurity program to be effective. The technical tools to protect your systems and monitor your weaknesses are necessary, but also needed are the people to implement those technologies and manage them, all while following well-constructed processes to help everything run effectively.  

When you look at the root cause of many data breaches, it typically involves a breakdown of cybersecurity process and controls as the initial entry point for a bad actor. We find that many organizations don’t put enough emphasis on the effectiveness of their cybersecurity processes and controls.
Jeff Krull, leader of Baker Tilly’s cybersecurity practice

Organizations should make sure their cybersecurity program addresses the appropriate risks. Here are just some of the activities that can help reduce risk and may potentially be required to maintain adequate cyber insurance coverage:

People
  • Hire skilled cybersecurity talent to cover both the cybersecurity strategy and the tactical protections 
  • Supplement internal cybersecurity talent with service providers, including periodic tests of your protections (e.g., pen test) 
  • Engage leadership and the board to support new investments through frequent reports on the cybersecurity program 
  • Train your people to be aware of cyber threats and how to protect themselves and the organization 
Processes
  • Implement an industry-accepted standard or framework as the basis of the cybersecurity program 
  • Develop and test a robust incident response plan to deal with the most likely cyber incidents (e.g., ransomware, account compromise via phishing) 
  • Implement robust monitoring practices to take timely and appropriate action when security tools produce alerts  
  • Assess and monitor all cloud and IT vendors that access organizational data 
Technology
  • Require multi-factor authentication for access to all systems 
  • Configure devices (e.g., laptops, phones) to encrypt all data 
  • Implement backups to secure data from ransomware  
  • Protect servers and devices with anti-virus/anti-ransomware security tools 
  • Invest in security event monitoring tools that automate the review of all network and system logs and activities 

Organizations are realizing how hard it is to hire full-time cybersecurity specialists. Even if the organization has the monetary resources, finding and hiring the right people is quite a challenge. Not only are there not enough talented cyber professionals to go around, but the pandemic has created an additional challenge by facilitating a remote-work environment in which talented cyber workers can work for any organization, regardless of geography. The result of this is a supply vs. demand imbalance that has driven up the cost of finding, hiring and retaining talent. 

Additionally, processes tend to be the most overlooked aspect of a cybersecurity program. Organizations cannot simply pick a framework and do everything it says. Cyber standards are not one size fits all. You should adapt the framework to the specific needs of your organization, your industry, your regulatory requirements and your risks. These processes should be game plans of specific activities that help the people and technology components run effectively and efficiently.  

Finally, an organization can have all the “best” technology, but if the tools are not properly implemented or managed by people who are properly trained and are following defined processes, then scenarios can arise where one area (e.g., email) is properly secured, while another area (e.g., cloud) is left vulnerable to attacks.  

Assessing risk and addressing cyber insurance questionnaires 

As part of their cybersecurity program, organizations should make sure the protections are monitored for effectiveness via an independent cyber assessment. An independent cyber assessment has two benefits: (1) it provides an independent validation of your program and identifies gaps or areas of further improvement; and (2) it helps prepare the organization to respond to cyber insurance questionnaires.  

It is important to note, however, that cyber assessments are just a piece of the puzzle.

Some companies think, ‘We have this assessment and that assessment, so we’re definitely going to get insurance.’ But that isn’t the case. It’s very helpful to have those assessments, but they’re not the only thing required anymore.
Bernard Regan, a principal in the global forensics consulting practice

These questionnaires are the primary driver for the insurers to price and outline cyber insurance coverages. Insurance companies are going to likely ask about antivirus protections, ransomware and malware safeguards, backups, cyber training and other controls in a post-pandemic hybrid world where people are working in the office, at home and everywhere in between. Additionally, insurers will likely ask how frequently the cybersecurity program and practices are assessed using third-party providers, such as: 

  • Does your organization have an independent party periodically assess your whole cybersecurity program?  
  • Does your organization perform periodic penetration testing where an outside independent organization attempts to bypass your protections?  
  • Does your organization have any third-party assurance audits performed, such as System and Organization Controls (SOC) reports, HITRUST certification or Department of Defense Cybersecurity Maturity Model Certification (CMMC)?  

Conducting periodic cyber assessments by independent third parties and then using those results to improve the organization’s cybersecurity program can help reduce your cyber risks, if the organization makes the recommended improvements and continues to invest in the cybersecurity program. In turn, these improvements and investments may help the organization maintain or receive better cyber insurance coverage and may potentially help to limit the increases in insurance costs.  

Steps to take now 

Baker Tilly conducts cybersecurity assessments of all types (e.g., SOC, HITRUST and CMMC) for clients in a variety of industries. We also team up with many internal audit departments by providing trained and skilled IT and cyber internal auditors to help complete their IT/cyber-related internal audits. 

Additionally, in many assessments, we create models that demonstrate the financial impact of a cyber attack and the ensuing interruption, as the damage can likely go well beyond simply the data restoration and incident response costs.  

Beyond that, we supplement internal teams with our additional expertise, including industry-specific knowledge from experienced cyber professionals. We do not offer generic cyber assessments; we perform tailored, industry-specialized risk assessments, the threats facing those industries, and the individual needs of each organization. We also provide targeted assessments aimed at determining where an organization is potentially open to threat actors. 

These assessments add immense value to an organization’s cyber risk posture and cybersecurity program. For more information on how Baker Tilly can assist your organization with cybersecurity risk, contact me. 

Mike Cullen
Principal
Students comparing notes after a college class
Next up

Education planning: why you should start saving today