Cybersecurity insurance: Charting the right course to reduce cyber risk


Acknowledging “worrisome trends” in a post-pandemic era, a Harvard Business Review article proclaimed that, “Cybersecurity insurance has a big problem.” What’s the problem? In short, in 2020, “the world seemingly entered a new era of cyberattacks” in which the “severity of financial consequences has been profound.” 

Take just ransomware, for instance. The average cost of recovery from a ransomware attack for a mid-size firm reached $1.85 million in 2020, more than twice the financial impact from the previous year. Cyber attacks at large continue to surge. Accenture Security reported a triple-digit increase (125%) y/y from 2020 to 2021. 

This hard-hit reality is not going unnoticed by cybersecurity insurance companies when it comes to pricing and premium conditions. As the cybersecurity firm Sophos notes, “[F]the first time in its 15-plus year history as a standalone policy, the market is starting to harden, as insurers see their payouts rising faster than the income from premiums.” As a result, U.S. pricing for cyber insurance surged an average of 96%, year-over-year, according to Marsh, “as organizations faced a daily onslaught of cyberattacks.”


US cyber insurance rates continue to increase


Standard & Poor’s Corp. suggests that the average cybersecurity insurance premium will increase 20-30% each year. 

So the question at hand is: How can you mitigate your cyber risk profile to realize more cost-effective cyber insurance coverage? After all, good security goes a long way toward getting insurance in the first place and, after that, realizing a lower premium.

Charting the right course to reduce cyber risk

When it comes to building strong cybersecurity programs and identifying an enterprise’s cyber risk, organizations often look to standardized guidance such as the NIST Cybersecurity Framework or the MITRE ATT&CK® Framework to build solid security programs that cover people, process, and technology. But in a global cybersecurity market that’s expected to hit $210 billion by 2028, where do you possibly begin researching the right solutions so you can  gain real confidence in a cybersecurity product’s ability to help lower your cyber risk? 

The Cyber Catalyst by MarshSM program provides a great, reliable indicator for navigating a vast sea of offerings. Think of the prestigious Cyber Catalyst by MarshSM designation as the cybersecurity equivalent of an ecolabel such as Energy Star. You know upfront that the security product you are considering has been independently evaluated for its ability to have a meaningful impact on cyber risk. This program can help guide you to a high-confidence, low-regret vendor decision.

Designed to protect sectors, states, supply chains, and/or governments all working together to see cyber threats early, a Collective Defense platform, for example, can help to lower cyber risk by facilitating real-time threat intelligence exchange — working much like a radar system for cyberspace. The IronNet Collective Defense platform, for instance, applies behavioral analytics to detect sophisticated cyber anomalies in a company’s network. The platform then visually correlates those alerts (anonymously) with what other organizations in the Collective Defense community see on their networks, ultimately providing advanced warning and threat intelligence on potential incoming attacks. 

Look to the Cyber Catalyst by MarshSM to enhance your insurance terms 

With a 2020 Cyber Catalyst by MarshSM designation, the Collective Defense platform provides a pay-it-forward aspect for Collective Defense customers. That’s because organizations that adopt Cyber Catalyst-designated solutions may be considered for enhanced terms and conditions on individually negotiated cyber insurance policies with participating insurers.

Those insurers, when considering potential policy enhancements, will expect organizations to deploy Cyber Catalyst-designated products and services in accordance with certain “implementation principles” that have been developed by the insurers and product vendors.

The IronNet Collective Defense platform is suitable for large Fortune 500 companies as well as mid-sized organizations across both public and private sectors. It adds a level of threat visibility and detection to a CISO’s security portfolio, while integrating with SOAR, SIEM, and workflow tools.

Maturing your cybersecurity posture in the cold, cruel cyber world

Indeed, the times have changed. Digital transformation has expanded the cyber attack surface considerably. The cybersecurity insurance market is feeling these growing pains. “Cyber insurance was only ever meant to be for a novel, an unforeseen catastrophic event. When things like ransomware were limited to someone's grandmother on their old PC, that was a license to print money," said Burn. "But now that music has absolutely stopped and they're reeling from those losses."

Fear not: Any organization, no matter how small or large, can work toward establishing a better cyber risk profile by maturing its security posture. Process maturity models can provide a realistic understanding of an organization’s cybersecurity capability levels in relation to implementing these standards and frameworks. 

Used together, a framework and maturity model can guide strategic priorities and help to identify where to direct cybersecurity investments. You can also assess cyber risk by leveraging the MITRE ATT&CK® Framework to expose any weak spots across your enterprise.

Maturing your cybersecurity posture in the cold, cruel cyber world

Need help understanding where you stand? Consider an Attack Assessment to see where you are and where you need to go to climb the cyber maturity ladder.

Want to keep reading?