Cybersecurity blog header

Cyber insurance: A complement to security audits

Cyber insurance coverage differs depending on the insurer and the level of protection you want to buy

The digitalization of companies has had countless consequences. One of the most obvious is the fact that a large part of their critical assets is no longer physical, but digital. For a textile company today, its eCommerce platform is as important as the factories where it manufactures its garments. That is why many companies have wanted to protect the digital dimension of their business by taking out cyber insurance. Products offered by insurance companies to help companies deal with the consequences of an incident.

According to a report by GlobalData, the cyber insurance industry will reach $10.6 billion in revenue by 2025. This is largely due to the increase in cyber-attacks in recent years.

For example, in mid-July, the Spanish National Research Council (CSIC) suffered a Russian cyberattack that left it without an Internet connection. The return to normality did not occur until a month after the incident. At the beginning of August, Twitter, one of the most popular social networks on the planet, acknowledged having suffered a cyber-attack that resulted in the theft of data from 5.4 million users.

These two recent cases perfectly exemplify the reality that companies and public institutions shouldn’t shy away from cyberattacks are the order of the day. But insuring against them shouldn’t be reduced to taking out a policy, but to protecting systems permanently against external and internal aggressions.

Just as insuring a company’s offices does not prevent fire, theft, or flooding, cyber insurance doesn’t protect companies against attacks.

1. Cyber insurance: Allies in dealing with the consequences of attacks

First of all, we must clarify what exactly cyber insurance is. The goal of these products marketed by insurance companies is to protect companies against the consequences of cybersecurity incidents.

In other words, cyber insurance, as insurance products without the prefix cyber, is a contract between an insurance company and a company. The former undertakes to pay the latter a specified amount in the event of a cybersecurity incident covered by the contract and resulting in losses for the insured company, as well as to assist in managing the crisis. In turn, the latter pays a fee for cyber insurance. In the same way, it pays for having its physical headquarters insured.

Thus, cyber insurance has become an interesting ally when facing crises, guaranteeing companies that they will have the liquidity to mitigate their effects.

Their origin is to be found in the digitalization of society and the economy. Taking into account the leap of companies to the cloud, the multiplication of applications and software, or the development of disruptive technologies such as machine learning or artificial intelligence, the need for companies to have mechanisms and tools that safeguard their interests in the digital era becomes evident.

Playing on the metaphorical ground, we could say that cyber insurances are not shields against attacks, but networks that extend under the feet of companies to alleviate the fall if it occurs.

Therefore, beyond taking out cyber insurance, the important thing would be to prevent companies from going on a tightrope walk on the edge of the wire.

2. What does cyber insurance cover?

As with traditional insurance, cyber insurance coverage differs depending on the insurer and the level of protection the company wishes to take out. After all, it’s not the same to have your car insured by third parties as it’s to have it fully comprehensive.

Among the basic issues usually covered by cyber insurance, we can highlight civil liability, assistance during a cybersecurity incident, and the expenses derived from these and recovery work.

As with other insurance policies, coverage is not absolute. Cyber insurance doesn’t cover if the insured company has acted in bad faith or a negligent manner, without taking the minimum measures to deal with cyber risks.

2.1. Civil liability

Many cyber-attacks are aimed at stealing data to the credit of companies. Much of this data may be private information of their customers or employees. In the event of claims arising from the violation of personal data, cyber insurers can meet the resulting costs. As well as the penalties in the matter of data protection which the company that has yielded in front of the cyberattack has to face.

2.2. Security incident management

Crises caused by cyber-attacks can be complex to resolve and, above all, costly. The company needs technical and IT advice to deal with the cyberattack itself, regardless of the type of technique used by the attackers. But it’s also necessary to have legal advice to manage the possible claims that we talked about in the previous subsection. And, of course, advice on communication and crisis management to try to reduce reputational damage.

Cyber insurance offers either direct advice or covers the costs of having advisors from outside the organization.

2.3. Recovery efforts

A central issue in the management of any crisis triggered by the exploitation of cyber risk is business continuity. Every minute that the company is paralyzed by the effects of a cyber-attack translates into economic and reputational losses.

Getting back to normal, restoring backups, recovering lost data, and reestablishing the full functioning of systems are actions of strategic relevance. To this end, it’s essential to have top-level professionals in the field of cybersecurity.

3. What do insurance companies require when taking out policies?

The inescapable fact that cyber insurance policies are not intended to prevent cyber risks means that they cannot be considered as alternatives to security audits and the establishment of security programs and protocols adapted to the characteristics, needs, and resources of each company.

But we can even go further. It’s not only that companies shouldn’t take out cyber insurance and forget about their cybersecurity, but that the insurance companies themselves don’t allow it.

When we sign a health insurance policy, the insurance company submits us to a medical evaluation to determine our state of health and the risk factors we present. To do so, they carry out tests, study our medical history and take into account our family history. Something similar happens in the case of cyber insurance.

Before signing any type of contract, insurance companies carry out a cybersecurity assessment of the company that wants to take out the cyber insurance. To do this, they take into account both the characteristics of the organization, its business model, and its level of digitalization.

If vulnerabilities, problems in procedures, or lack of training are detected, the insurer can require the company to remedy them, to achieve a minimum level of security that allows the company’s systems to withstand a possible cyberattack. Otherwise, the contract will not be concluded.

In addition, at present, companies issuing cyber risk policies already require companies wishing to take out cyber insurance to carry out a series of actions aimed at periodically securing their systems.

3.1. Safety audits

As we pointed out earlier, using the example of health insurance, insurers must first check that the minimum health requirements are met to be able to take out insurance. Otherwise, the chances of having to bear the financial consequences of a serious illness are extremely high. This also applies to cyber insurance.

Security audits carried out by companies with extensive experience in this field and professionals with expertise in the field are key for a company to be aware of the cyber risks to which it is exposed and to implement the necessary measures to remedy the vulnerabilities of its systems.

Therefore, as we say in the title of this article, cyber insurance cannot be used as a substitute for security audits, but rather as a complement to them. Auditing the security of a company and its systems is the cornerstone for building a security strategy that successfully addresses cyber risks and reduces the likelihood of the bad guys succeeding.

Depending on the company, multiple actions can be taken to detect vulnerabilities. Web security audit, mobile application security audit, code audit, cloud infrastructure security audit…

Thanks to the audits and the measures advised by analysts to be implemented, insurance companies can have a higher level of credibility about the ability of their insured to resist potential attacks or minimize damage. While companies get the information they need to protect themselves against cyber risks. You don’t take out health insurance because you want to use it, but as a last resort to deal with a problem that you want to avoid at all costs.

Cyber insurance is not a shield against attacks

3.2. Control measures

Knowing the vulnerabilities and risks is very important for closing gaps and securing a company’s digital infrastructure. But the requirements of insurance companies don’t stop there. Companies are also required to implement additional control measures:

  1. EDR technology. Behind these three letters lies the Endpoint Detection Response system. This technology focuses on protecting a company’s systems by detecting risks and threats that may go unnoticed and are characterized by a high level of complexity. Artificial Intelligence or Big Data is used for this purpose.
  2. Threat Hunting. A type of cybersecurity service characterized by its proactivity. Since, as its name suggests, professionals go hunting for cyber threats, getting to know the attackers in-depth, based on basic principles such as the hypothesis of compromise or offensive mentality.
  3. Red Team. Through Red Team services, cybersecurity professionals pretend to be external agents and attack the company’s systems. In this way, it is possible to test in an attack scenario how the protection systems and response procedures respond, to optimize them as much as possible. At the same time, security personnel is trained to successfully deal with real incidents.

Every little bit helps in a scenario where malicious actors launch increasingly sophisticated and complex attacks. As a result, insurance companies are becoming increasingly demanding in terms of security audits and control measures to be implemented by companies wishing to take out cyber insurance.

4. ISO 27001: Highest cybersecurity standards

From the context and the services we have just described, it is clear how important it’s to follow the highest cybersecurity standards both for the prevention of cyber risks and for obtaining cyber insurance.

This is precisely what is verified by the ISO 27001 certification focused on the planning, implementation, verification, and control of an Information Security Management System.

This international certification certifies that the confidentiality of a company’s data is guaranteed. To this end, an exhaustive risk analysis is carried out, focusing on the organization’s infrastructures, but also the professionals involved in information management.

In addition, the certification highlights the cybersecurity company‘s efforts to operate internally with the same levels of rigor, professionalism, and meticulousness that they employ when working side by side with their clients.

5. NIS Directives: Ensuring the protection of businesses and citizens

Just as companies have become increasingly aware of the importance of cybersecurity, citizens and public administrations have also multiplied their interest in this area. Since, as we saw earlier with the CSIC, public bodies are also targets of malicious actors. And individuals can see their private data stolen and exposed.

Thus, in addition to data protection regulations, such as the GDPR, new regulations have been approved or are about to be approved that stress the importance of companies being protected against threats and facilitating the exchange of information about them. This is precisely the aim of the NIS Directive and its sequel, which is more ambitious and adapted to the challenges of the present: the NIS2 Directive.

This standard, the content of which has already been agreed upon by the Council and the European Parliament, pending official approval, aims to improve the resilience and responsiveness of institutions and companies to cyber-attacks. To this end, it’s essential to detect and remedy vulnerabilities and improve the information available on new emerging threats.

6. From cyber insurance to regulations: Security as a strategic issue

In short, cyber insurance, security audits, Red Team or Threat Hunting services, ISO 27001 certification, and NIS directives are all moving in the same direction. Cybersecurity and protection against cyberattacks, as well as incident management, have become strategic issues for public institutions and companies.

The rise of cyber insurance has made it clear that cyber risks are becoming greater and more challenging with each passing day and that companies have become aware of the dangers surrounding their digital assets.

Cyber insurance and, above all, the requirements demanded by insurers to contract them, demonstrate the importance of having a comprehensive security strategy, supported by professional audits and appropriate measures and protocols. Cyber insurance is just one more tool to mitigate attacks and ensure that, should they occur, they do not affect business continuity and corporate interests.