Cyber Insurance: Why Your Security Maturity Matters More Than Ever

Our GRC Lead Alex Ward with CFO Drew Howell on the importance of cyber insurance.

Quoting a sports movie to open a cybersecurity article might seem strange, but the pearl of wisdom "the first cheque you write is for the mortgage, but the second is for the insurance" from the Blindside really does reflect the approach of many businesses let alone homeowners.

However, the reality is that when it comes to cyber insurance, many organisations are not only struggling to get appropriate coverage and reasonable premiums — but are finding that they are being refused coverage outright. This reality is making it difficult for organisations to follow Leigh Anne Touhy's wisdom from the movie and protect their organisation with cyber insurance.

...the move by insurers to show significantly more rigour in assessing prospective organisations' security maturity.

There are several factors that have led us to this point. Clearly, the seemingly endless number of cybersecurity incidents that have occurred over the last few years has led to insurers taking a beating financially in payouts, resulting in increased premiums and reductions (or at least tightening up) of coverage offered. This is standard for insurance premiums. They increase year-on-year and increases in incident-related payout events increase premiums — this is not that surprising.

On the other hand, the most interesting (and in my opinion, most important) factor is the move by insurers to show significantly more rigour in assessing prospective organisations' security maturity. Security Centric assists many of our clients in responding to insurance questionnaires, and we have seen firsthand the increase in focus on preventative technical solutions (like Security Operation Centres) and security standards (ISO27001, Essential 8 Requirements).

Monitoring and alerting functionality is an area of heavy focus, as well as incident response planning and capability

There are commonalities appearing across the various insurance providers that we have completed questionnaires for. Monitoring and alerting functionality is an area of heavy focus, as well as incident response planning and capability. On top of this organisations are expected to have fairly robust policy and process documentation to provide as evidence to insurers of their security maturity.

Security Centric have also seen that small to mid-sized businesses and larger high turnover organisations are facing the same scrutiny from insurers. This makes it all the more important for organisations (especially SMEs) to focus their budgets on preventative security. This is to prevent incidents rather than being reactive, as doing so will enable them to receive improved premiums and coverage (that they hopefully do not have to call upon).

As we approach the end of the year and the extended Christmas break, it can be a good time to review your current cyber insurance to ensure you are confident in your coverage — not only insurance, but security capability. If in doubt, reach out to Security Centric to discuss where we can assist your organisation to improve security maturity and reduce cyber insurance premiums.