Just as traditional insurance providers assess risks to determine premiums for building, automotive and health insurance, cybersecurity insurance providers analyse a company's cyber risk profile before setting the cost of coverage. Understanding the factors that influence these assessments can help organisations better prepare for and potentially reduce their premiums.  This article explores how cybersecurity insurance providers assess risk and calculate premiums.

Cyber Risk Assessment: The Foundation of Premium Calculation

Over the last few years, through hard experience, insurance providers have been learning about cybersecurity risks.  As a result, they have been evolving and refining the scope of their policy coverage and terms.  They are also becoming more proficient at evaluating the risk profile (a.k.a. “risk posture”) of an applicant wanting cybersecurity insurance by evolving and refining their cybersecurity risk assessments.

The primary objective of a cyber risk assessment is to gauge the likelihood and potential impact of cyber threats on a business. This includes evaluating industry and company-specific risks, the value of sensitive data that the organisation holds, and human centred factors such as cybersecurity awareness, processes and procedures.  It also involves assessing the nature and extent of the IT infrastructure that criminals and unscrupulous employees could exploit.  I.e. the size and vulnerability of the “attack surface”, including mobiles, tablets, computers, physical access to offices, devices, servers and data.

Let’s deep-dive into the key factors that cybersecurity insurance providers typically consider:

1. Nature of Business, Size and Complexity

Organisational Scale: The size of a company, in terms of both employee count and revenue, influences risk perception. Larger organisations typically have more complex IT infrastructures and greater volumes of data, potentially increasing the attack surface for cyber threats.

IT Complexity: The complexity and interconnectedness of a company’s IT systems are evaluated. Highly complex networks with numerous endpoints and third-party integrations may present more opportunities for cyberattackers and elevate risk levels.

2. Data Sensitivity and Volume

Type of Data Handled: The sensitivity and volume of data a company handles are critical factors. Organisations dealing with highly sensitive information, such as personal identifiable information (PII), financial data, or intellectual property, are considered higher risk.

3. Industry-Specific Risks

Sector Vulnerabilities: Certain industries are more prone to cyber threats due to the nature of their operations. For instance, healthcare organisations are prime targets for data breaches due to the sensitive personal information they handle, while financial institutions may face higher risks of fraud and theft. Insurers take these industry-specific risks into account when determining premiums.

4. Third-Party Relationships

Vendor Management: Third-party vendors and partners can introduce additional cyber risks. Insurers examine how well a company manages and secures its third-party relationships, including the use of vendor risk assessments, contracts, and security audits.

5. Awareness and Education

Various industry reports cite human error as the cause of between 75% and 95% of all cybersecurity breaches, with 88% being a commonly cited figure.  Insurers evaluate the extent and frequency of cybersecurity awareness and training provided to employees.  Insurance providers look favourably on companies that regularly conduct employee phishing simulations designed to evaluate the effectiveness of their awareness and training initiatives.

6. Policies, Processes and Procedures

Insurance providers generally take a holistic look at the range of policies, processes and procedures that impact cybersecurity, e.g. access to buildings, devices and data, employee onboarding, offboarding, password practices, invoice payment, data retention and data disposal.

7. Detection and Prevention Technology

Insurers consider what infrastructure and systems are deployed to harden the attack surface, restrict access to only the people that require access to perform their job, to detect and prevent intrusions.  This includes the use of firewalls, intrusion detection systems, antivirus software, encryption, and multi-factor authentication. Companies with robust, up-to-date security systems are generally seen as lower risk.

8. Backup infrastructure and practices

If you have a copy of your important data, then you should be able to quickly recover from incidents such as malicious tampering, accidental deletion or overwriting of files.  It will also provide resilience against ransomware attacks that lock files and demand a ransom to unlock them.

There are quite a few considerations when deciding how to do backups.  Insurance providers typically look at where the backups are held, whether backups are geographically distributed to address localised incidents such as fire and flood, how often the backups are performed, and how much backup history is kept.

9. Disaster and incident response plans

The existence and effectiveness of both disaster response plans and incident response plans are critical. Insurers look for a well-documented plan that outlines procedures for identifying, containing, and mitigating cyber incidents.  They also look to establish whether these response plans have been tested, and how.

10. Historical Data and Incident Reports

Past Cyber Incidents: A company’s history of cyber incidents—such as data breaches, ransomware attacks, and other security compromises—plays a significant role in risk assessment. Frequent or severe past incidents can indicate vulnerabilities and result in higher premiums.

11. Innovation and Adaption

The rate at which a company adopts new technologies and adapts to emerging cyber threats is also important. Insurers favour organisations that stay abreast of technological advancements and continuously evaluate and improve their cybersecurity measures.

Conclusion

Calculating cybersecurity insurance premiums is a complex process that involves assessing a broad range of factors, going way beyond the infrastructure and technology its-self. By understanding the factors that cybersecurity insurance providers consider, and by taking proactive steps to enhance cybersecurity, organisations can not only reduce their inherent risk, but also potentially lower their insurance premiums. A robust cybersecurity strategy is indispensable for safeguarding business operations, and for securing favourable insurance terms.

#cybersecurity #cyber #insurance #smallbusiness