Cybersecurity insurance has been a big market in recent years, and it’s easy to see why. According to IBM’s Cost of a Data Breach report, the average cost of a data breach is $3.86 million and results in $1.52 million in lost business. In the case of larger businesses, this number can stretch into the tens or hundreds of millions of dollars. As a result, insurance companies have created a cybersecurity insurance market; providing insurance policies that allows some level of protection against the financial risk of a data breach. It’s a risky business for insurance providers, however, given that even the best defended businesses can, have, and most likely will be breached at some point. As a result, insurance premiums for cybersecurity policies can be extraordinarily high, depending on the risk profile of the insuree.
Why Cybersecurity Coverage is so Expensive
Since the perceived risk is so high, cybersecurity policies frequently come attached with exorbitant premiums. Part of this is due to the implicit risk given that perfect security will never be achieved, but the biggest contributor is that it is incredibly hard to accurately assess organizational risk and cybersecurity performance. With how incredibly difficult it is to accurately measure risk in the best of circumstances, cybersecurity insurance providers take on a larger share of the risk which in turn drives up premiums. In a Harvard Business Review publication, Tom Johansmeyer writes that, “Thirty years of history have shown us that cyber risk is difficult to understand, problematic to hedge, only likely to grow, and characterized by a continually changing threat environment.” Clearly the insurance industry is complicated and risk lurks around every corner; which makes calculating insurance premiums a messy business.
How Risk Plays into Premium Costs
While the general principle is quite simple, there is a lot that goes into how risk affects insurance premium calculations. Depending on the results of the risk assessment conducted by the policy holder, their risk profile will determine their pricing structure; higher risk and therefore lower cybersecurity performance will result in higher insurance premiums, while lower risk or better cybersecurity performance will result in lower premiums. Even with strong cybersecurity performance however, it’s possible that the best secured system imaginable could still be a significant risk factor if it holds data that would cause extraordinary financial harm if its data were leaked. In order to keep insurance premiums reasonable, however, insurance providers often attempt to mitigate their risk on the insurance policy by turning to the reinsurance market. Johanmeyer explains that, “Reinsurance — again, casually thought of as insurance for insurance companies — allows insurers to lay off risk to another capital source. Much as you turn to your insurer when you have a claim, insurers may look to reinsurers for support.” This means that while risk is the predominant factor in calculating insurance premiums, insurance providers have found ways to mitigate risk to keep prices competitive.
Effectively Reducing Insurance Premiums by Improving Cybersecurity Performance
That’s not to say though that there aren’t ways to lower your insurance premiums. Organizations with a lower risk profile will pose less risk to the insurance providers which allows them to provide a better rate. In terms of reducing risk, it’s all about cybersecurity performance management and being able to demonstrate cybersecurity effectiveness and maturity. Effectively tracking and managing cybersecurity performance is critical because it allows decision-makers to have the best possible understanding of the organization’s cybersecurity strengths and weaknesses, which, by allocating budget to improving the most impactful performance metrics, allows for more efficient cybersecurity spending and a more effective cybersecurity program overall. Continuous Monitoring is a crucial tool in reducing insurance premiums because it provides real time visibility into organizational risk factors, compliance status, and evaluates cybersecurity performance. Being able to provide this kind of information during a risk assessment is invaluable in demonstrating cybersecurity performance and in reducing risk, thereby reducing insurance premiums.
Although continuous monitoring and performance management programs aren’t an easy thing to set up overnight, thankfully there are tools that make it significantly easier. CnSight looks from within your organization, providing an executive-level cyber risk, effectiveness, and performance management view that works for organizations of all sizes. Our solution uses Cybersecurity Performance Indicators (CPI) to evaluate aspects of your cybersecurity program and their activity to determine which ones are strong or vulnerable. CnSight helps baseline and prioritize what is important to the business, ensuring alignment with organizational goals and risk appetite. Regardless of your current level of cybersecurity maturity, CnSight helps you chart a course to improving visibility and achieving better outcomes from your current investment in security.