Four best practices to unlock cyber insurability

By Andrew Correll

The cybersecurity landscape has reached unprecedented complexity and unpredictability. A single data breach can cause detrimental damage to a company, including remediation costs, reputational damage, and legal fines. In 2022, these damages amounted to an average of $9.44 million per data breach in the United States.

As cyber threats escalate, all businesses must consider obtaining a cyber insurance policy. However, this is easier said than done. Cyber insurance premiums have become far more costly with stricter requirements. Organizations can be denied coverage altogether if they exhibit poor security hygiene.

So how can companies ensure they are well-prepared to meet the rising security standards set by cyber carriers? To start, they must understand what areas of cybersecurity insurers specifically look at when determining whether an organization is sufficiently secure. Cyber insurers tend to prioritize endpoint security, patching cadence and network security, as these three factors are often the most predictive of cyber risk.

Companies must take a holistic look at their cybersecurity posture and assess whether they are deploying the right strategies and tools to reduce cyber risk. Here are four tips to help them increase their chances of obtaining a cyber insurance policy.

Obtain a better view of organizational endpoints.

Endpoint security protects devices such as laptops, desktops and mobile devices that connect to an organization’s network. Effective endpoint security is often a challenge for organizations because the number of devices connected to their corporate network is rapidly increasing. This makes controlling each device in the network incredibly difficult. Insurers prioritize endpoint security because these devices are often a weak link in an organization's overall security posture and a common entry point for many hackers.

Organizations must deploy endpoint security tools that include mobile device management, anti-virus software, data encryption, endpoint detection and response, and security patch updates to enhance this aspect of their security posture.

Establish a regular patching cadence.

Patching cadence refers to the frequency at which an organization analyzes its networks, systems and applications for updates that can fix security flaws. With the exploitation of vulnerabilities found to be one of the top three ways hackers access an organization, establishing a regular patching cadence is critical. An effective patch management procedure requires the creation of policies and processes for identifying, fixing, and documenting the implementation of security patches on an organization’s IT networks, systems and software.

Implement robust network defenses.

Network security refers to the procedures and policies to protect the organizational network from unauthorized access, modification, misuse or disruption. A robust network security posture typically consists of a layered security approach, where numerous security controls are deployed in the IT environment to catch a potential attack as early as possible. These tools generally include antivirus software, application security and cloud security.

Leverage security ratings to get one step closer to true cyber resilience.

Although prioritizing investments and processes within the above areas is key to increasing an organization's level of cyber insurability, organizations shouldn’t stop there. They must continuously monitor and assess their security posture and modify it as the threat landscape evolves.

Security ratings can help companies obtain a better view of their level of cyber risk by quantifying their security posture in an actionable and digestible way. Organizations can also use them to understand the gaps in their security posture and pinpoint specific areas needing improvement. These metrics can also serve as a method for organizations to prove their level of cyber readiness to potential insurers.

As cyber insurance premiums become increasingly challenging to obtain, organizations should know exactly where to make improvements to ensure they are up to par with stricter requirements. By centering their security posture around endpoint security, patching cadence and network security while leveraging real-time data and analytics from security ratings to track and re-evaluate where changes should be made, organizations can come out on top in a dynamic cyber insurance market.

Andrew Correll is director of insurance solutions at SecurityScorecard. He may be contacted at [email protected].