So, your business has just suffered a data breach and it’s time to dig deep in your pockets to pay all the resulting expenses. Without cyber insurance, you can expect to pay a dizzying amount of cash.
In 2022 alone, the average cost of a data breach for businesses under 1,000 employees was close to $3 million—and these costs are coming from activities that cyber insurers typically cover, such as detecting and responding to the breach. (Cyber insurance company At-Bay has a great free tool to estimate the cost of a data breach to your business).
Indeed, with liability limits ranging from $1 million to $5 million or more, cyber insurance policies can cover a good chunk of the damage caused by a data breach.
But if you’re looking to apply for cyber insurance, there’s a few things you should know first—especially if you want the lowest possible premium.
Here are four ways your business can save money on its insurance.
How is cyber insurance priced?
Before we dive in any futher, it’s important to understand how cyber insurance policies are priced to begin with.
A 2019 paper published to the Journal of Cybersecurity analyzed over 235 cyber insurance policies from New York, Pennsylvania, and California, as well as policies posted publicly on carriers’ websites. They found that cyber insurance companies price their policies one of in four ways:
- Base rate. Insurers provide a base premium based on your organization's annual revenues or assets (or number of employees/students). The basic logic is that more revenue equals more risk, therefore higher premiums, and vice versa.
- Base rate with security questions. Insurers look at your organization's security posture to determine the final premium pricing. This was by far the most widely-used approach by insurers (57 percent of policies analyzed).
- Fixed rate. Insurers provide a fixed rate regardless of firm or industry. This was most common for smaller businesses.
- Fixed rate with hazard groups. This is the same as fixed rate, but with a single modifier based on the amount of perceived risk a business has (such as how much sensitive information is stored on its website). Again, typical for small businesses.
How to save money on cyber insurance
While it’s clear that the size of your business and the industry you’re in can affect costs, still a large portion of cyber insurance providers are looking at your security to determine premiums.
So, what are some of the security controls that can lower your premium? (Coalition cyber insurance offers a free automated scanning tool to help you find your organizational risk.)
For this article, we looked at security tips from the top five biggest cyber insurance companies—AXA XL, Chubb, AIG, Travelers, and AXIS—and found four commonalities across what they had to say.
1. Use multi-factor authentication (MFA)
Did you know that, according to Verizon's 2022 Data Breach Investigations Report, 50 percent of data breaches start with stolen credentials?
Given this statistic, it’s no surprise that using multi-factor authentication (MFA) could signal to cyber insurers that you’re less of a risk. By requiring you to use multiple forms of authentication, MFA makes it much more difficult for threat actors to pull off brute force attacks, or to use stolen passwords.
2. Implement a cybersecurity training program
If stolen credentials are the most common initial attack vector in data breaches, then phishing is a close second—accounting for about 17 percent of all data breaches, according to the same Verizon report.
This is why implementing a cybersecurity training program for your employees is so important.
A good training program should inform employees about common threats such as email phishing, spear phishing, and other common social engineering attacks. Cyber insurers are likely to view the implementation of such programs as a mark of high security maturity.
3. Disable Remote Desktop Protocol (RDP) services
In about 50 percent of ransomware attacks, Remote Desktop Protocol (RDP) was the initial attack vector, according to a study by Palo Alto Networks.
RDP is a network communications protocol that allows users to remotely control their devices. Commonly used by remote workers, RDP is also used by IT staff to troubleshoot problems on employees’ devices.
However, hackers can easily search for computers that use RDP and them use a brute force attack to try to guess the password—and from there, they can carry out a ransomware attack.
Securing RDP with best practices, such as following the principle of least privilege, removes a potential point of access for hackers. Read our article on how to protect RDP for more tips.
4. Deploy Endpoint Detection and Response (EDR)
According to Ponemon’s 2020 State of Endpoint Security Risk report, the average financial loss from endpoint attacks was almost $9 million in 2019.
Not surprisingly, then, both Travelers and Axis cyber insurance explicitly mention endpoint protection as an important prevention measure.
Endpoint detection and response (EDR) is a form of endpoint protection that detects and protects against ransomware, malware, trojans, rootkits, backdoors, viruses, brute force attacks, and “zero-day” unknown threats. Learn more about how EDR can help secure your business.
Better security means better savings
Without cyber insurance, you can expect to pay a lot of cash to cover the cost of a data breach, and many companies are investing in it as a result. In this article, we explained how cyber insurance policies are typically priced, and how your organization’s assessed security posture is a prime consideration for many insurers.
We also outlined four key processes and technologies that makes you a much more challenging target to attack, and consequetly a considerably less risky proposition for cyber insurers.
With Malwarebytes Endpoint Detection and Response, you can show cyber insurance companies you’re prepared to handle a cyberattack. To find out more, read how Mike Carney Toyota saved on cyber insurance by deploying Malwarebytes EDR.
Malwarebytes EDR prevents, detects, and responds to ransomware, malware, trojans, rootkits, backdoors, viruses, brute force attacks, and "zero-day" unknown threats so you can avoid business disruption and financial loss.