As cybercrime costs spiral toward $24 trillion annually by 2027, insurers are tightening their requirements and scrutinizing claims more closely than ever. Bill McLaughlin, CEO of managed services company Thrive, maps out the essential steps organizations must take to obtain and maintain cyber insurance coverage in today’s heightened threat landscape.
Cybercrime is becoming an increasingly serious threat, with incidents like phishing schemes and data breaches rising at an unprecedented rate. From large enterprises to small businesses, everyone is at risk of suffering losses, but the latter might never financially recover from them.
With reports projecting the total cost of online criminal acts soaring to $24 trillion by 2027, up from $12 trillion in 2023, companies must take steps to protect themselves from these attacks in the same way they would from a fire or a tornado.
But, how? Insurance.
Cyber liability insurance is a specialized policy designed to cover the financial losses organizations face from ransomware attacks, data breaches and other cyber incidents. Meant to mitigate the financial impact of cyberattacks, expenses like legal fees, crisis communication efforts, system recovery, investigations and more are also often covered.
From this description, one might imagine that every company must hold an active cyber insurance policy. Well, not exactly. In response to growing cyber threats, insurers have revised their policies to protect their own interests, making the process of obtaining coverage more difficult. Insurers are now requiring businesses to demonstrate not just the presence of cybersecurity protocols but also their effectiveness and ongoing maintenance. Failure to do so could result in denied claims, leaving businesses exposed during a cyber event and financially liable.
The risks of being uninsured
For small and medium-sized companies, investing in cyber insurance can feel like a big commitment. Cyber insurance policies often include comprehensive measures like advanced threat detection, vulnerability assessments and incident response plans. When combined with existing cybersecurity systems, the costs can add up quickly. This leaves many companies questioning whether it makes financial sense to invest in both in-house cybersecurity and an insurance policy. It does.
Without a cyber insurance policy, a company is left to carry the full financial burden of a cyberattack, including covering costs associated with restoring compromised systems, data breaches, ransomware payments, regulatory fines, legal fees and more. For smaller companies, these costs can quickly spiral out of control, causing significant financial strain or, in the worst-case scenario, bankruptcy. Cyber insurance serves as a safety net, ensuring that organizations aren’t left vulnerable and are better equipped to recover from an attack.
Why CISOs and Boards Must Speak the Same Language on Cybersecurity
Translating cyber risks into boardroom terms is essential for resilience
Read moreDetailsHow to meet insurance requirements
The most effective way to determine if a company meets insurance requirements is through an audit of its security system. An audit provides a comprehensive overview of cybersecurity policies, tools and strategies, identifies existing vulnerabilities and assesses the overall security posture of the business. Often led by a chief information security officer (CISO), the audit may include additional assessments, such as a cybersecurity risk evaluation, or tracking key performance indicators (KPIs) like mean time to detect (MTTD) and mean time to acknowledge (MTTA).
The next step after the audit is completed is to understand the broader cybersecurity landscape. Start with researching internationally or nationally recognized standards and best practices and align your company’s security measures with these frameworks to ensure compliance. An added benefit of following these standards is that they help improve overall cybersecurity hygiene. CIS 18 Critical Security Controls, for instance, is a great resource that offers businesses a roadmap for enhancing their security posture. It recommends tactics like implementing multi-factor authentication (MFA), incident response planning, data encryption, patch management plans, regular vulnerability assessments and penetration testing.
How to ensure continued coverage and security
Businesses must stay vigilant and remember that as threats evolve, so will the cybersecurity requirements. CISOs or whoever oversees cyber insurance policies, should remain up to date on the evolving standards insurers require while also monitoring pending claims to ensure they are not rejected.
Bill McLaughlin is CEO of Thrive, a managed services provider. 
