What to Do When Your Business Insurance Starts Requiring Cybersecurity

Here’s the scenario. Your business insurance provider may have reached out to you, asking questions about your IT and overall cybersecurity. In our experience, this has caused some confusion for a lot of organizations, so we wanted to chime in and help Austin business owners get a better understanding on why your insurance provider is even getting into the weeds with this, and what they are actually looking for.

First, Know That This is All Pretty New to Most Insurance Providers

Look at this as a “blind leading the blind” situation. Your insurance provider, and in particular, the agent you are directly interfacing with, might not be technically savvy enough to fully explain IT or cybersecurity requirements, or why they matter when it comes to your insurance coverage. 

We’ll even admit, there’s more to this than we could fit into a single blog post. Cybersecurity is complicated, nuanced, and often varies on a case-by-case basis. There are definitely some cybersecurity standards and best practices that apply to virtually any organization, but none of this stuff is inherently simple.

When your insurance agent is passing you over details and trying to explain things, they are probably doing the best they can. That said, they probably aren’t an expert on cybersecurity, they don’t know what you already have at your business, what you are and are not doing, or even what kind of data or compliance standards you are working with. Truth be told—this stuff has gotten extremely complicated over the last few years, and it’s only going to get more complex and more important for organizations of all sizes moving forward. That’s okay, that’s why we’re here to help.

The Situation: My Business Insurance Company is Asking Questions About My Cybersecurity

You might be switching providers or renewing your business insurance, and suddenly you are being asked questions about your IT and cybersecurity. Most of the time, these questions are going to be pretty standard, but depending on your insurance provider, they might have some variation. First, let’s take a look at what the general questions tend to be based around:

• Strong password policies
• Multi-factor authentication
• Email filtering and spam protection
• The overall security of your website
• Web security and firewalls
• Secured, encrypted data backups
• Endpoint detection and response (EDR)
• Vulnerability management
• Security awareness training and testing

One thing we’ve noticed, just based on what clients and prospects have brought to our attention, is that sometimes, the way the insurance agent explains all of this to them makes it sound like it all relates to your organization’s website.

This is not the case. While we’ve certainly seen a company’s overall website security get brought up in the overall mix when it comes to cybersecurity, the majority of these elements are wrapped around your internal IT infrastructure. The website security side is still important, so we definitely wanted to mention it. I think the impression that some people tend to get is that their insurance company is focusing on website security—this isn’t the case, it’s all-encompassing.

The other misconception is that your insurance company is telling you that you aren’t in compliance in some way or another. This isn’t necessarily true either—they wouldn’t have a way to know what is going on with your internal IT.

In actuality, they are just asking you questions to make sure you are committed to some of the barest requirements of protecting your business against the rising risk of cyberattacks. 

Why Does Cybersecurity Even Matter for Business Insurance?

Modern cybersecurity threats are becoming a bigger problem, and they are becoming more expensive for businesses to deal with. 

The average cost of a ransomware attack is a staggering $4.35 million. That doesn’t even include the cost of the average ransomware payment, which is now $812,360. These aren’t the typical annoying computer viruses that might disrupt your business for a couple of days and put you and your staff behind by a week. A ransomware attack can cause a major disruption to business that could take months or years to recover from. On average, ransomware victims take 326 days to identify and properly respond to an attack. 

This type of threat is a major risk to virtually any business—if you have computers, you are at risk. If you store important data, especially sensitive or personal information on your customers, clients, and staff, you are at risk. Your organization’s size, shape, and the industry you are in doesn’t change any of this (although some industries do tend to have even stricter regulations when it comes to protecting sensitive data).

It only makes sense that your business insurance company wants to make sure you are taking steps to reduce the risk if they are going to provide coverage for your business.

Take a Step Back; This Shouldn’t Be About Your Insurance

Yes, this conversation started because your business insurance company wants to make sure you are meeting certain criteria when it comes to cybersecurity. It might even affect your eligibility to be covered, or it might affect your rates.

Put all of that aside.

Confirm with your insurance agent that you have their full comprehensive list of everything they want. 

Then commit to it.

Consider the fact that you might prevent your insurance premiums from going up an added perk, but you should really be looking at these suggestions as an opportunity to do what’s best for your organization. These measures are massive steps to prevent catastrophic problems. 

You might already be halfway there. Many of our clients are going to be pretty well covered, or even surpass what these minimum requirements are. Whether you are a Capstone Works client or not, we encourage you to reach out to discuss this with us.

These requirements aren’t necessarily about throwing money at the problem; sometimes it’s more about establishing the right policies and making sure your current solutions are audited and up to date. It might involve purchasing hardware and software, and paying cybersecurity professionals to make some adjustments, but that investment could potentially save your business in the long run.

Let’s Get Your Cybersecurity In Check

We’re used to helping businesses meet demanding cybersecurity compliance requirements, so we can help your organization review your insurance requirements and then implement everything they want from you. Trust us; it’s better for your organization to have these taken care of. 

Let’s start by discussing your needs. Give us a call at (512) 343-8891 today to get started.