How to Get Lower Cyber Insurance Premiums

When this article was originally written in 2022, the cyber insurance industry was experiencing a massive premium hike. The good news is that cyber insurance premiums have dropped—by an average of 16%—since the industry peak during the summer of that year.

However, cyberattacks are on the rise. Ransomware attacks alone increased 85% in FY2023, and with the ubiquity of artificial intelligence, the threat landscape has continued to grow.

So, why have premiums decreased and leveled off?

Despite the surge in ransomware and AI-led attacks, new SEC disclosure rules, a much more competitive insurance market—thanks to fresh capital—and improved business cybersecurity measures have made insurance costs more sustainable.

Making your business more attractive to an increasingly competitive insurance market can secure better coverage and provide you with the best insurance premiums.

In this blog, we’ll outline key strategies to do just that—and with the added benefit of making your organization more secure along the way.

How to Reduce Your Cyber Insurance Premiums in 2024

The following policies and tools will not only enhance your security but also demonstrate to underwriters that you’re a lower risk.

Implement a Cybersecurity Framework

Adopting a cybersecurity framework shows insurers your commitment to security. The NIST Cybersecurity Framework is the most widely recognized for reducing cyber risks and is a great place to start.

Underwriters love to see steps taken to implement and improve cybersecurity protections, and that’s exactly what a framework is—a set of structured guidelines, best practices, and standards designed to help you manage and improve your cybersecurity efforts.

Engage External Expertise

Cybersecurity is a specialized task requiring advanced knowledge and skills, often beyond the resources of most organizations. Partnering with external experts like HBS bridges this gap. At HBS, we offer tailored cybersecurity solutions that enhance your security posture, making your organization more appealing to insurers.

A team of skilled professionals provides guidance and expertise to bolster your cyber defense strategy. By leveraging this specialized knowledge, you can meet and exceed insurers' requirements, improving your overall security and positioning your organization for better insurance coverage and more favorable premiums.

24x7x365 Monitoring

Ransomware struggles to get past these systems that can catch threats early and shut them down. An IBM study found that organizations using security AI and automation spend 80% less handling a breach. A solution like Managed XDR from HBS can detect anomalous activity, correlate actions into a threat picture and proactively shut down attacks. And that often happens in moments. 

Multifactor Authentication

MFA is typically the leading indicator to prevent ransomware losses, and it’s one of the top things carriers are looking for.  Without a sound MFA policy, you may be denied coverage.

And a general answer of “yes, we have MFA” won’t satisfy most carriers. They want details on how your MFA policy protects admin-level users, secures all remote access, and secures corporate email on non-corporate devices and web apps. 

Effective and Documented Incident Response Plan

Develop and maintain an effective incident response plan. Documented procedures for responding to security incidents can significantly reduce the impact of a breach and show insurers that you are prepared.

While not a cyberattack, the recent CrowdStrike incident highlighted the difference between companies that had good incident response plans, and those that clearly did not.

Security Awareness Training Program

Implement regular security awareness training for employees. Educating your team about potential threats and safe practices is crucial for minimizing human error, a common cause of breaches.

Solid Backup Procedures

Having solid backup and recovery procedures is essential for minimizing the impact of cyberattacks and ensuring business continuity. Insurers look favorably on organizations with robust data protection strategies because they demonstrate preparedness and resilience.

• Offline and Segregated Backups: Ensure your backups are stored offline or in a segregated environment to protect them from being compromised during an attack. This means even if your primary systems are breached, your backup data remains safe.
• Frequent Testing: Regularly test your backup and recovery procedures to ensure they function correctly. Monthly or quarterly tests can help identify and address any issues before they become critical during an actual incident.
• Access Control: Restrict access to your backups using multifactor authentication to prevent unauthorized access. This adds an additional layer of security to your critical data.

Preparing for Underwriting

To prepare for underwriting, we suggest starting early and seeking help from third-party experts and an experienced insurance broker. Expect a long list of detailed questions probing into your information security policies and tools.

Questions to anticipate include:

• What percentage of your IT budget is allocated to information security?
• Do you have a Chief Information Security Officer or equivalent?
• Which cybersecurity frameworks do you follow?
• Do you engage a third party to assess your cybersecurity program and controls?
• How do you track your software inventory by operating system and application version?
• Do you implement standard audit logging policies for hardware devices and software?
• What are your password policies?
• How do you encrypt data?

HBS consultants help organizations create customized security plans that not only help with cyber insurance costs but also secure the organization’s future.

For more insights and tailored cybersecurity solutions, contact us. We’re here to help you navigate cyber insurance and protect your organization against evolving threats.