The cost of a data breach can run as high as $4.54 million today, up from $3.86 million in 2020, according to an IBM study that says the fastest-growing — and costliest — type of cyberattack is ransomware. That’s why more companies are turning to cyber insurance to hedge their bets. Last year, the global market for such policies was estimated to be in the $13.33 billion range, and projected to reach $84.62 billion by 2030. Because the increased frequency of attacks has resulted in increased payouts, insurance providers now often require proof of adequate security measures.

“Rather than resisting or resenting risk assessments from potential cyber insurance vendors, IT leaders should regard them as an opportunity to strengthen their organization’s security posture,” according to TechCrunch, which stresses that “cyber insurance involves risk assessment.”

A study by Netwrix indicates that 50 percent of cyber-insured organizations “implemented additional security measures.” These can be as simple as implementing multifactor authentication and regular backups to more involved procedures like content filtering and remote desktop protocols (RPDs) so users can work remotely using encrypted access.

According to TechCrunch, such insurance can cover:

• Forensic analysis and incident response.
• Recovery of data and systems caused by actual loss and destruction.
• Cost of the downtime due to the cyber event.
• Costs incurred from sensitive data breaches, such as handling PR activities, notifying impacted clients, or even providing credit monitoring services to customers.
• Legal services and certain types of liability.

Just as a sophisticated anti-theft system can reduce the cost of insuring a car or a home, so too proper security measures can make cyber insurance easier to come by.

“An insurance provider may impose more security demands on a company that hosts large volumes of personally identifiable information (PII) than it does for a company of similar size with far less PII,” TechCrunch writes, noting “organizations that lack sufficient security controls to bring risk down to a level acceptable to an insurance provider might not be eligible for any policy at any price.”

The International Bar Association (IBA) has published an informational report on cybersecurity best practices guiding senior executives and boards to protect their organization from cyber risk.

“The reality is that, in the few places they exist, cybersecurity regulations vary considerably in terms of requirements, level of detail, and the method of supervision and enforcement,” the document says, adding that guidance is “often fragmented, and sector- or country-specific, and there is no globalized approach or set of principles for governance of cybersecurity risks.”

Related:
How Cyber Insurance Can Help Relieve the Financial Burden of a Cyberattack, Forbes, 7/5/23
Why CISOs Should Get Involved with Cyber Insurance Negotiation, Dark Reading, 7/27/23