Cybersecurity Risk Controls Remain Key to Risk Mitigation, Resilience & Insurability

Proactive cybersecurity strategies for business owners and C-level executives

by Jordan Freeman

With technology increasing in sophistication year after year, business owners and executives must stay more vigilant than ever when it comes to preventing data breaches and cybersecurity threats. A cyber-attack can cost a company millions of dollars — and, with many businesses operating on razor-thin margins in today’s economy, such a large financial hit could be devastating. That said, the risk and impact of cybersecurity attacks are greatly reduced with the right risk management plans in place.

According to the latest data from IBM, the global average cost of a data breach in 2023 was $4.45 million, a 15% increase over three years. The demand for comprehensive cyber insurance is skyrocketing. And with cybersecurity claims continuing to rise, it is expected that carriers will increase cyber insurance rates — although the increases are moderating — increase the self-insured retention limit and adjust their terms and conditions, mainly exclusions.

As 2024 begins, business owners are looking for additional ways to safeguard their information and ward off cyber-attacks and threats to keep costs as low as possible and their claims at bay. The key lies in strategic risk management efforts and programs.

From an insurability perspective, three distinct areas of cyber risk management matter the most in insurance negotiation and warding off cybersecurity threats: legal components of compliance or risk management, proactive information security, and education.

Compliance & Risk Management

Legal compliance and effective risk management are critical for protecting an organization against cyber risks. These crucial elements not only ensure regulatory adherence but also safeguard the company’s reputation and financial well-being in case of a security breach. A few strategies to consider are:

  • Compliance with industry laws & regulations: Ensuring the organization complies with security mandates is the first step to warding off potential threats. These regulations are in place to protect employees and sensitive data, but also the company’s bottom line should an attack occur and legal action follow.
  • Third-party access measures and supply chain management: When working with vendors or digital supply chains, it’s important to put legal and preventive measures in place for third-party access to reduce overall cyber risk exposure. This can be in the form of a business continuity plan (BCP), which establishes the proper protocols and recovery systems if attacks occur.
  • Employee policies & procedures: Having written policies and procedures in place for employees to follow in the case of an attack keeps commitment to safety at the forefront of the organization and minimizes potential for further damage.

 Proactive Information Security

Protecting digital assets requires proactive measures like incident response planning, threat detection and monitoring. These activities allow organizations to identify, detect and contain attackers’ actions early. Alongside tools such as multi-factor authentication and regularly monitoring for exposures, companies should implement additional techniques to increase security, such as:

  • Patch management and vulnerability scans: These routine checks allow senior leadership to apply patches or uncover existing vulnerabilities and remediate them before threat actors have a chance to exploit them.
  • Secured, encrypted and tested backups: Attackers tend to delete backups before launching a ransomware attack to boost their success. It is essential to secure backups through encryption, independent from the network, and establish a data restoration testing schedule to ensure backups are working as intended.

Educational Opportunities

Properly educating employees on cyber security training and implementing simulations is another integral component to warding off threats and building overall resiliency. Some common areas of focus are:

  • Identifying phishing scams: This can be done through conducting email phishing testing and providing ransomware awareness training to employees.
  • Updates on the cyber environment: Organizational leadership should provide regular updates on security initiatives and their performance to help people remain aware of and vigilant to changes in the cyber environment.
  • Create a Cyber Incident Response plan: Having a current CIR plan along with a well-trained team and experienced senior leadership ensures efficiency when handling cyber incidents. Combined with backups, other business continuity strategies and monitoring of endpoints and the network, these measures significantly mitigate the impact on business operations and protect an organization’s reputation in the event of an incident.

Having security controls in place not only helps mitigate a company’s risk and protects the business, but also makes them more attractive to insurance carriers. In turn, this entices a more competitive premium with less restrictive cyber coverage terms and limits. Taking control of proactive measures through information security, legal components and education safeguards the business and ensures it is well poised for the year to come.

Jordan Freeman, CLCS, is a business insurance broker at Marsh McLennan Agency (formerly Lovitt & Touché). Freeman specializes in technology, software and life sciences, assisting companies scale their business insurance program and placing policies allowing companies to transfer risk.

In Business Dailies

Sign up for a complimentary year of In Business Dailies with a bonus Digital Subscription of In Business Magazine delivered to your inbox each month!

  • Get the day’s Top Stories
  • Relevant In-depth Articles
  • Daily Offers
  • Coming Events