I caught up with Vice President of Risk Advisory, Tim Marley, and Cybersecurity Consultant, Corey Bolger, about upcoming changes to cyber-insurance and trends they are seeing. Their two cents might get you thinking.
As one might predict after so many recent high-profile ransomware and extortionware attacks, cyber-insurance policies are getting more difficult to purchase. Anyone thinking policy renewal is a given, or who is budgeting the same amount as last year, might be taken aback at renewal time. With premiums already having climbed steadily in recent years, jumping 50 – 100% from 2020 to 2021, this is nothing new. However, experts like S & P Global Ratings credit analyst Manuel Adam are predicting premiums to increase again sharply over the next two years, “even doubling in some cases” (Cyber Risks in a New Era 2021). What this means for businesses is that cyber insurance renewals are not likely to be a foregone conclusion. Underwriters are looking more closely at what organizations are doing, specifically, to safeguard their environments before deciding who they will insure, for how much, and at what cost.
Tim Marley, TRUE’s Vice President of Risk Advisory, notes that “we are seeing more extensive questionnaires. We’re no longer talking about 4-5 basic questions, but hundreds of questions in some cases. Insurers want to know what is being done to protect key assets from attack. Mature organizations approach those questionnaires as more than checking a box.”
Checking Boxes Doesn’t Move the Needle
It’s not just about getting insurance. This is about protecting your profits, preventing downtime, keeping your business afloat. In the same way you follow fire codes in a new business – because those measures make your business safer, getting insurance isn’t the only goal here. You’re going to be spending on solutions to meet those guidelines, positioning yourself to get the best policies and premiums. You might as well make it count.
Case in Point: Standard Security Awareness Training Subscriptions
For some time now, cyber-insurance providers have been asking businesses to train their teams in cybersecurity awareness as a means of mitigating the risk of internal errors, such as clicking on malicious links or mishandling of sensitive data. Agents have traditionally pointed businesses to subscriptions they can purchase to gain access to hundreds and even thousands of training videos, games, and other interactive curricula for their teams. The good news is, you get access to hundreds of videos. The bad news is, you get access to hundreds of videos. It’s like renting a warehouse full of assorted books to learn how to engineer a bridge. If you want to accomplish your goal, someone will need to sift through all those books and curate a sound learning path for you. Otherwise, you are likely to read through a few introductions, feel like you are wasting your time, and not go back to the warehouse except when you have to.
Lack of Time to Manage One More Tool
When it comes to cybersecurity tasks needed to turn the dial in your security program, one of the biggest challenges companies face is lack of time for their internal teams. As training expert Corey Bolger points out, “It all boils down to being strapped for resources. Teams are stretched thin as it is, and the last thing they have time for is to sort through videos, monitor team progress, customize simulated phishing campaigns, and plan next steps in training. That’s why our team has started helping clients just manage the tools they already have.” Marley, Bolger, and other members of the team have spent countless hours not just writing and delivering our own curriculum, but working in tools like KnowB4. “We know what’s effective, what your teams will ignore, how to tailor coursework to unique compliance or business needs, and how to ensure your teams are really mastering cyber-awareness. We tweak it until we see progress,” says Bolger.
You’ll Benefit in the Long Run
Again, the goal is bigger than just getting insurance, although that is certainly important. The real goal is to be insurable, because you are more secure. All the way around, you stand to gain more from an effective training program than you have to gain from an ineffective one. The same can be said for all the other requirements you may face. So, whether you are looking at a 20-page cyber-insurance questionnaire or just requests for more validations of your current controls, choosing better solutions at each fork in the road is going to help. You can choose managed detection and response (MDR) over standard anti-virus, securely architected and tested backups over easy-for-attackers-to-access backups, multi-factor authentication over standard logins, and so on. You’re already taking steps to get your cyber-insurance. Might as well take the ones that matter.
When you engage with TRUE to administer your cybersecurity awareness training, you can choose from managed/curated subscriptions, customized in-person or remote training from our experts, simulated phishing campaigns, and even special events like our proprietary Cybersecurity Escape Room. If you would like to get started with better cybersecurity awareness training, you can request a consultation with one of our experts anytime.
