Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Purchasing a Cybersecurity Insurance Policy? Consider These 3 Details

In a cyber climate where businesses are doing everything possible to minimize risk, nearly everything offered as an answer to this challenge is considered. It’s no surprise that cybersecurity insurance policies quickly caught the attention of data security professionals when they became available to purchase.

While it’s in no way intended to be a silver bullet in the grand scheme of information security, cybersecurity insurance is a component of a risk management strategy that allows businesses to transfer certain aspects of financial risks tied to a security event onto the insurer.

Today, more and more businesses facing cyber risk are looking for new ways to mitigate it and any potential data losses, says Andrew Herlands, vice president, Global Security Architects at Trustwave. That’s why this form of compensation control is increasingly being considered in ensuring whatever risk appetite the business settles on is acceptable.

“Cybersecurity insurance isn’t that new of a concept,” Herlands says. “In the last few years—maybe even the last couple of years—organizations have started to buy into this type of policy.”

While you may not be in the process of buying cybersecurity insurance, there is some fundamental knowledge to grasp before making your decision:

1. Policies Are Not Mandatory

Are you obligated to purchase cybersecurity insurance? Well, it certainly isn’t mandatory if you believe your business is equipped to manage cyber risk. However, even if you’re second-guessing your organization’s cyber risk tolerance and your ability to manage it, no law or regulation requires you to purchase it.

Given the complexity of available policies, many businesses are passing up on cybersecurity insurance due to their high costs, confusion on what they cover, “and uncertainty that their organizations will suffer a cyber attack,” according to the Department of Homeland Security.

There’s no reason to write off a policy, however, especially if it plays a role in managing the acceptable risk the business has settled on.

“If I had to suggest one thing to a security leader, it’s to try and quantify what that risk is to your organization,” Herlands says. “The more data you store electronically, the wider your data center footprint is, which also leads to more people accessing that data. Those are all variables to consider when assessing your risk posture.”

Because cyber risks are difficult to measure given that attack vectors and attack sophistication continue to evolve, many policies can be costly. So, the better you define your risk, the higher the chances are for you to obtain a premium that reflects the needs of your risk mitigation strategy, and of course, budget.

2. Policies are Evolving Over Time

Similar to the threat landscape and the cybersecurity solutions marketplace, cybersecurity insurance has evolved.

Twenty years ago, cyber attacks primarily came in the form of a web defacement and a hit to the reputation of the organization. While there were breaches taking place, most organizations didn’t have all of their assets accessible online or on a network. Of course, that’s all changed now.

As businesses have digitally transformed themselves over time—with many using multiple cloud environments to store their critical assets—risk has only increased, says Herlands.

“The target landscape has blossomed, attackers have gotten much more sophisticated, and vulnerabilities are as dispersed as the data found in the business,” he says.

This causes policies to change over time. Cyber has been much more difficult to pin down for insurance providers because it is much more challenging to quantitively measure what risk an organization’s going to face that they want to insure.

However, as insurers get more competent and refined in understanding how to quantify risk, they’ve been able to tailor cybersecurity insurance, rather than take a broad-blanket policy approach. Now, many providers have put the onus on the business they’re insuring to take commercially reasonable steps to lower cyber risk.

“They have to have certain controls in place and also conduct an audit to ensure those controls are implemented effectively,” Herlands added. “It’s going to continue to evolve as insurers get more sophisticated and get more history in insuring organizations. They’re going to learn lessons that there are certain breaches they have to cover.”

3. The Right Security Tools Lower Your Premium

While it may be difficult to measure those risks in a quantifiable manner, one thing’s for sure; if businesses implement the proper and recommended controls from a security standpoint, they may be rewarded with more favorable terms.

Large organizations that rely on credit card processing, manage healthcare or financial records, intellectual property, or government secrets have a cyber miscreant’s bullseye aimed at them. In these cases, risks inherently skyrocket seeing as the sensitive data is so valuable to attackers looking to benefit from it in the underground economy. Naturally, the higher the risk, the more solutions will likely need to be in place to proactively combat cyber threats and protect the valuable databases housing sensitive information.

“Either the premiums are going to be high—relative to the size and complexity of the organization—or businesses can counter them by deploying certain policies, procedures and solutions in the hopes of reducing those insurance costs,” Herlands says. “In many ways, investing in a more robust data security program today will demonstrably reduce your risk and the high premiums that come with high risk.”

For businesses that take an adaptive approach to security, the likelihood of having a lower cybersecurity insurance premium is significant. This would then allow them to access a preferred premium that plays a role in the organization’s overall risk management strategy.

Over time, customers will become more mature and more competent in their cybersecurity initiatives, policies, and procedures and technology they employ. As the threat landscape continues to change, so will cybersecurity coverage to ensure they’re covering their customers.

Trustwave's database solution, Trustwave DbProtect, was recently recognized by leading insurers for reducing cyber risk. In the inaugural round of the Cyber Catalyst by Marsh program, Trustwave DbProtect was one of the 17 solutions designated as a Cyber Catalyst out of the 150 products and services evaluated. 

Marcos Colón is the content marketing manager at Trustwave and a former IT security reporter and editor.

Latest Trustwave Blogs

How Cybercriminals Use Breaking News for Phishing Attacks

Trustwave SpiderLabs issued a warning that threat actors may attempt to take advantage of CrowdStrike’s software update that caused widespread outages by using the news as the center of a social...

Read More

Trustwave Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Accelerating Value for Microsoft Defender XDR, Copilot for Security, and Sentinel

The unparalleled capabilities encapsulated within Microsoft Defender XDR, Copilot for Security, and Sentinel can be powerful when an organization knows how to expertly tap into these resources. The...

Read More