In this blog, we will discuss strategies to consider if you are denied coverage, common reasons an insurance provider might deny coverage, and several alternatives to cyber insurance.
Common reasons insurance providers deny policies
With insurance, it all comes down to risk. An insurance company will deny a policy if they deem the risk too high. Just as a teenager with a new driver’s license pays a higher premium, your company will also pay more for insurance if your organization does not implement mature cybersecurity protocols.
The first step is understanding why your policy request was denied or your premium is unaffordable. It is unlikely that the insurance company will give you this information, though it does not hurt to ask your agent. Next, to determine areas of high risk, review the information you provided about your current cybersecurity program. Review the questions and your answers to determine where the gap in security protections may be.
Filling security gaps
In most cases, you can address your cybersecurity issues by implementing high-quality information security controls, like those found in the NIST Cybersecurity Framework or CIS Controls. Adopting a security framework streamlines cybersecurity efforts and focuses your effort and the safeguards you deploy on sensitive data, networks, and systems. In addition, these two frameworks are free to implement.
Another free resource you can take advantage of is this list of five action steps from Justin Hall. After deploying a new security framework and taking the above steps, your company is more likely to qualify for affordable cyber insurance coverage.
But what if the premium is still too high or you are still denied?
Alternatives to cyber insurance coverage
Even if you are unable to afford cyber insurance, there are still plenty of options for companies looking to secure their data.
The concept of “self-insuring” is simple. You invest the money you would have spent on an insurance premium into your cybersecurity program.
For example, an insurance premium for a smaller company—100 employees and under—ranges between $15K and $25K per year on a $1 million policy. Allocate those funds toward cybersecurity initiatives such as deploying the NIST or CIS framework. The ROI is almost immediate. By systematically investing in developing your information security program over time, your business will be much less vulnerable to data breaches. In addition, you may be able to re-apply for cyber insurance after implementing the recommended controls.
Cyberattack response services
Another good tactic is to buy cyberattack response services. These services give your organization guidance in the event of an attack to help your business recover. Ideally, you want to prevent the attack in the first place. But having an experienced professional in your corner as a coach can lower the downtime and possibly limit the damage.
Limited insurance coverage and other strategies
Another option is to opt for reduced cyber insurance coverage. Many insurance providers offer incident response and recovery plans without ransomware payments or other financial compensation in the case of ransom demand or litigation costs. While not ideal, this at least provides some assistance in case of a disaster and helps you be prepared.
Some additional strategies that are not insurance but are well worth consideration:
- Cyber awareness education. Your employees can help defend against social engineering schemes by building a cybersecurity awareness culture.
- Crisis management coaching for leadership. Professional response coaching will allow your executive team to stay calm and effective in the event of a breach.
- Ransomware simulations. A tabletop exercise goes step by step through an imaginary cyberattack. Your team can identify gaps in the incident response plan, learn valuable lessons, and improve their responses.
- Work with a professional negotiator. If targeted by ransomware, a professional negotiator guides your company through the options, including whether to pay the ransom and potentially negotiate a lower ransom.
Work with a security expert
Taking the steps we discussed will make your business more insurable and digitally secure. One final step to consider is partnering with a security expert to implement or strengthen information security frameworks. Get in touch to learn how we can aid your business on the road to a more secure digital presence.
More from this blog series: