In view of the economic dimensions of IT security incidents, IT insurance cover or cyber insurance can in many cases become the decisive lifeline for companies. The importance of cyber policies is therefore increasing. At the same time, the criteria for awarding them are becoming stricter.
If you want to benefit from protection, you not only have to bring your IT security up to date, but also increasingly have to prove external protection - for example through managed security service providers.
MSSP - Managed Security Service Provider
Cyber policies have become an important part of corporate IT security. They add an important component to existing defense technologies: absorbing the financial damage and burdens of a successful attack and other security obligations. This is indispensable added value, because no company can assume that its own cyber security will ward off all future attacks. It is only a matter of time before the attackers will be successful. Costs should therefore not be an argument: the premiums paid are amortized after a one-time success by the hacker.
More expensive or no insurance at all
Insurers are aware of their increasingly important role, but also of the increasing risk they face. Many providers have noticed that companies with a policy behind them are quicker to buy their data and IT ransom in the event of a ransomware attack - and hope that the damage will be covered. Not least because of this, you have recognized how necessary it is to grant a policy with caution. As a result, they calculate higher premiums and, in their own interest, work on extended criteria as a condition for insurance cover.
And the situation is getting worse: Many market observers now fear rising cyber premiums as a result of the war in Ukraine after the boost caused by the pandemic. At the same time, insurance companies do not have an overview of all risks. They are not immune to not being able to pay for damage that they have not yet factored into the premium calculation for older policies. The so-called silent cyber risks in networked production facilities, which often did not exist when the insurance was taken out, are a good example of this.
Insurance companies are dropping cyber insurance offers
Insurance protection itself is also a topic of discussion again and again. For example, Axa withdrew its offers to cover ransomware ransoms in the French market in 2021. In Germany, the situation seems to be generally better, so that the majority of companies received at least part of the ransom reimbursed. However, companies increasingly have the feeling that insurers are setting higher criteria for IT security. In Germany, the CEO of Munich Re also recently drew attention to himself with his intention of no longer offering cyber insurance to large corporations.
There seems to be a need to catch up anyway: according to a Gothaer survey, only about 16 percent of medium-sized companies in Germany enjoy protection. Experts state that this target group in particular is no longer receiving suitable offers.
Growing hurdles for the IT security letter of protection
In order to protect themselves, insurers are tightening the requirements for companies: They require a minimum canon of protection mechanisms before they consider the customer to be worthy of protection:
- Multi-factor authentication: This technology prevents the lion's share of automated attacks and efficiently reduces the risk. Without them, it becomes increasingly difficult to obtain adequate protection.
- Antivirus, firewall and malware detection: Insurers are increasingly asking about these basics of any IT defence.
- Endpoint Detection and Response (EDR): Cyber insurers are increasingly asking about endpoint protection. Extended Detection and Response (XDR) extends this defense and provides information on threats in the context of the entire IT infrastructure of an organization.
Insurers know better and better what they can and should demand from a customer. They act in their own interest to reduce their costs, keep raising the bar and demand exact compliance with the award criteria they have defined.
External help for more cyber credibility
🔎 A managed detection and response service by an external security operation center can help pay lower premiums for cyber insurance coverage (Image: Bitdefender).
Small and medium-sized companies in particular are therefore under pressure when it comes to working on the credibility of their own cyber defense using their own resources. Pure IT security technology can do little to help them. A well-staffed IT security team is often not available. External help is therefore important right now: A Managed Security Service Provider (MSSP) improves your own security and is increasingly becoming an entry ticket for the cyber police.
Managed Security Service Providers and their Managed Detection and Response (MDR) services offer undisputed added value for companies to continuously protect their applications, information and systems. In the eyes of the insurance company, their offers make them a credible pillar of IT defense for customers. Small and medium-sized companies in particular cannot afford this high-level protection due to a lack of their own resources. They therefore need external protection from services and IT security analysts to credibly document their cybersecurity initiatives.
MSSP soon a requirement for cyber police?
They also help companies to find the right policy because they already work with one themselves. MSSPs that offer such value add an extra level of protection to their customers. They advise their customers on how to obtain a suitable policy and how to set up their defense credibly. This has an immediate positive effect on premiums.
IT security service providers make it easier to find and work with cyber insurance. However, one should still not weigh oneself too securely. Not every case of damage is automatically covered, and non-monetary image damage, which is often even more devastating for business success, is not anyway. Nevertheless, decision-makers should try to do their part thanks to suitable IT protection in order to benefit from a cyber security policy.
More at Bitdefender.com
About Bitdefender Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de