Every year, more companies are finding out firsthand how damaging a cyberattack can be. Research for the 2023 State of the Phish report from Proofpoint found that 30% of companies that were successfully attacked experienced a direct monetary loss. That’s an increase of 76% year over year. And costs for these attacks are rising. IBM reports that the global average cost of a data breach went up by 15% over the last three years, hitting $4.45 million in 2023.
Concerns about costs and risks mean that more companies than ever are buying cyber insurance. A World Economic Forum survey found that 71% of organizations have cyber insurance. And Allied Market Research projects that the global cyber insurance market, which is currently valued at $12.5 billion, will reach $116.7 billion by 2032.
Investing in cyber insurance for your business can be a wise strategy. For one, it helps you to transfer some of the financial risks of a cybersecurity event to your insurance provider. But the cyber insurance landscape is changing. You should know that getting the coverage you want might be a challenge, and you will need to meet an array of cybersecurity insurance requirements. In this blog post, we’ll cover six of the most common requirements you’ll likely need to fulfill.
What is cyber insurance—and what does it cover?
But first, let’s take a closer look at what cyber insurance is and why it is important. Also known as cyber liability insurance, this relatively new type of insurance helps to protect businesses and individuals from the negative impacts of cybersecurity events. It generally covers:
- Loss of data and the associated recovery
- Loss of revenue due to business interruption
- Loss of transferred funds from cyberattacks, like business email compromise (BEC) and phishing
- Loss of funds from ransomware and extortion
Many policies also cover the aftermath and follow-up events associated with a data breach. This includes the costs associated with identifying and notifying victims, credit monitoring for victims and forensics expertise, to name a few.
Why is cyber insurance important?
For many companies, cyber insurance is an essential part of their risk management strategy. It covers many costs related to cyber events, such as legal expenses and fees for compliance violations. Depending on the policy, it might also cover:
- Ransomware attacks. If your business is hit with a ransomware attack, you may face demands for payment to unlock your systems. Or you may need to pay a ransom to prevent the release of sensitive data. In certain cases, cyber insurance can help cover ransom payments.
- Incident response and recovery. Cybersecurity insurance can help with the cost of investments you may need to make after an attack. For example, you may need to hire experts, conduct forensic investigations, and implement tools and measures to prevent future attacks.
- Business disruption. This may include lost revenue during downtime. This coverage can help your business stay afloat financially and continue operating in the wake of a cyber event.
Want more details on the benefits of cyber insurance? Download the Proofpoint presentation, “Cyber Insurance: Facts, Figures and Policy Fundamentals.”
Examples of common cyber insurance requirements
As noted earlier, getting coverage is more complicated than it used to be. Because security breaches are so costly and cybercrime is so common, many insurers have become more stringent in their underwriting processes. Some have lowered caps for payouts and narrowed their coverage offerings as well. This means that the requirements your business may be expected to meet will be fairly complex.
Every provider will likely conduct a risk assessment to determine if you qualify for cyber insurance. The process will help them to determine how much coverage they can offer you, and what you’ll need to pay for it. The risk assessment might be as quick and simple as a questionnaire or as complex and time-consuming as a third-party audit.
Here are six examples of cyber insurance requirements your business should be ready to meet.
1. Strong security controls
Most cybersecurity insurers will want to know about the state of your security controls. They want to be confident that you maintain robust measures to protect sensitive data and systems. That includes protection from internal threats, like careless, malicious or compromised insiders. If you have a remote or hybrid workforce, you may also need to demonstrate that you have people-centric security controls as well as granular policy controls based on risk, context and user role.
2. Multifactor authentication (MFA)
Multifactor authentication is a type of security control that many cyber insurance providers will want to confirm you are using with your workforce. MFA is a tool to reduce the risk of unauthorized access, especially in situations where passwords alone may not provide enough protection. Even if an attacker steals a user’s password, with MFA they still need a second factor—and maybe more—to gain access to an account. A biometric element, like a fingerprint, is an example of a potential second factor that might be used.
3. Incident response plan
It is inevitable that your business will face a cyberattack at some point. Therefore, many insurers want to see that you have an incident response plan. Your plan should be a well-documented and systematic process that defines how your company will manage a cybersecurity incident. It should serve as a set of clear instructions to help your business detect, respond to and recover from an event. You may also need to provide evidence that you perform regular tests and make updates to your plan to ensure it is effective.
4. Network security
You can be certain that every insurer will ask pointed questions about your network security. They will want to confirm that you maintain firewalls, intrusion detection and prevention systems. And they’ll want to know about any other measures you use to protect against unauthorized access. They may also ask you to explain if and how you conduct regular security audits and assessments to evaluate the strength of your network security controls.
5. Encryption
Encryption enhances the security of communication between client apps and servers. It protects confidential data by converting it into ciphertext. That, in turn, helps to protect against data interception, data breaches and various forms of cyberattacks. Many businesses consider encryption a vital element of their data security strategy. You can expect a cybersecurity insurer to inquire as to whether your enterprise is one of them.
6. Security awareness program
Another cyber insurance requirement is regular—and relevant—security awareness training. As this post explains, by presenting the right mix of information to users in a compelling way, you can empower them to help you improve your company’s security posture. You can also create a more robust security culture overall.
Beyond requirements: break the attack chain with Proofpoint
Meeting cyber insurance requirements is crucial, but it's only one piece of the puzzle. Proofpoint's solutions help to break the attack chain through a comprehensive approach, guiding you in dismantling the entire cybercrime lifecycle. For example, the Proofpoint Aegis threat protection platform can help your business block today’s advanced and integrated attacks, like ransomware and business email compromise. It also helps you to detect threats with greater accuracy.
Ready to break the attack chain and secure your organization's future? Learn more about Aegis and discover how we can help you build an impenetrable fortress against even the most determined cyber adversaries.