Cybersecurity Festival 2024: Four ways to cut your cyber insurance premiums
Certifications mean nothing without action
Jason Ozin, CISO at PIB Insurance, told the Cybersecurity Festival to get a broker, get certified and get hacked.
Cyber insurance is like Marmite: you love it or you hate it. Although it might be both: you can love having it but hate the buying process. Possibly it's Vegemite.
The concept of insuring against cyberattacks and outages is relatively new, but premiums have changed dramatically.
"Ten or twelve years ago, when cyber insurance first came out, nobody bought it because the requirements were too onerous," said Jason Ozin, group information security officer at PIB Insurance, speaking at Computing's Cybersecurity Festival last week.
"Insurance companies reduced [the questions] to ‘How big is your company, what's your turnover, how many data records have you got?' – then they lost money for ten years, because everyone got hacked… Now, they're reverting back to finding out if you are a good risk or a bad risk."
Risk investigation can be drawn out and invasive. One audience member said their insurer now requires network-scanning as part of the coverage, and "false positives are the bane of our existence."
At the same time, premiums have spiked. Our audience – in common with most IT leaders – had a vested interested in reducing them. So, how can you cut your cyber insurance premiums without compromising on your coverage?
Increase your excess
Cyber insurance is very different from consumer products like home or car insurance, but it's still insurance. That means raising your excess – the amount you pay before an insurer has to step in – is a good way of lowering your premiums.
"If you've got money in your firm, if you know that you can do it, then you can reduce your insurance premium by quite a lot by saying, 'Look, we'll pay for, say, the first £250,000 on every one of these claim lines. We don't care about money, we care about being able to do business on day two, day three, day four.'"
Get a broker
Everyone considering cyber insurance should have a broker, whose job is to scan the market and make sure you're getting the best deal. On top of saving money, you'll probably also find that they can lower your risk.
"You should have a good broker that works with and understands the market. The broker will tell you why you've got such a high premium and say, ‘If you implemented MFA across the board, I guarantee your premium will come down'...
"Your broker, if you've got a good broker, will work with you because they understand the market and they understand the threats, and they know how to reduce the premiums."
Certify - within reason
Certifications like Cyber Essentials and ISO 27001 should be an obvious achievement you can show to insurers to cut your premiums – right? It's not quite that easy, said Jason.
"[Cyber Essentials] is a very good framework, if people take it seriously and don't lie on the form. But the truth is that the insurance companies want more. Their questions are wider and deeper than Cyber Essentials... If you can't get Cyber Essentials then don't even bother asking for cyber insurance, because you can't reach that standard."
Just having the certification makes no difference unless it's had a material impact on your risk posture.
"Just going off and getting ISO27001 isn't going to reduce your premium unless it changes the answers that you give to cyber insurance."
Get hacked
Counterintuitively, suffering a cyber-attack – and probably making a claim – could lower how much you pay; another way cyber is different to consumer insurance products.
"[Insurers] don't look at the attack, they look at what you've done after the attack - hopefully with their help - and see how much you've improved... There's a chance your premium will actually go down because you, all of a sudden, have covered all these holes that let [attackers] in the first place...
"I often say to my team, when they ask, 'Why are we using them, they got hacked?' I say, they're probably safer that the guys who didn't get hacked yet, because they now understand what their inaction meant."
Remember that claiming on your insurance doesn't necessarily mean using the money to pay a ransom – something that may soon become illegal, anyway. Instead, you're paying for coverage in many different areas: incident response, legal costs, PR, forensics, breach management and a host of other potential claim lines.
"You don't pay cyber insurance to pay the ransomware. You pay cyber insurance because on day zero, when you get attacked, and your IT department is running around like headless chickens and ruining all the evidence, and the Daily Mail is ringing you up, and this, that and the other, what the hell do you do!?"
You turn to the "very trusted panel of advisors" your insurer sends to pull you out of the mess – which includes "the solicitors, the PR agency, the cyber experts and all the other things - even the ransomware negotiators. That's why we pay insurance...
"We're less worried about somehow paying the ransom. We're more worried about how the hell do we continue business today, tomorrow and the rest of the month?"