Cyber insurance guide for small businesses
Cyber insurance won’t protect you from cybercrime, but it can provide financial security if you’re attacked. In this guide we’ll explain what cyber insurance covers, whether it’s right for your business, and how to use vulnerability management to keep your premiums down.
Who needs cyber insurance?
When Sony’s PlayStation Network was breached by hackers in 2011, it exposed the personal information of 77 million PlayStation users, preventing them from using their consoles for almost three weeks.
Sony spent over $170 million fixing the problem. Some of it would have been covered by cyber insurance – but Sony didn’t have any. Its commercial insurance only covered damage to physical property, leaving Sony to cover the full costs of any cyber damages.
Today, most big businesses have cyber cover, but cyberattacks are a fact of life for every business as attacks become increasingly automated and indiscriminate. Smaller businesses are just as vulnerable, especially if they lack the staff or know-how to defend themselves.
Get the basics right first
From phishing to DDoS attacks and malicious account takeovers, there are 65,000 attempts to hack SMBs in the UK alone every day. All of which could result in fines, compensation, lost revenue and business disruption. Start-ups in particular are agile and fast-moving, and lost revenue or downtime can quickly sink the business.
You need to do all you can to prevent attacks and protect yourself from threats because insurance won’t do anything to prevent breaches. Insurance is just a safety net and even then, just like other insurance policies, insurers won’t offer coverage or pay out to cover the cost of breaches if you don’t take reasonable steps to prevent hackers from gaining access to your data.
Is cyber insurance worth the cost?
Ultimately, you need to weigh up the cost of insurance against the cost to your business following a breach and the risk of fines, loss of revenue and reputational damage. Some customers and suppliers may expect you to be insured before they’ll do business with you too. If you’re not secure, neither are they.
Insurers also provide benefits of cover beyond paying out money for a claim. Many cyber insurance policies include services to help you deal with cyberattacks when they happen – from crisis hotlines, forensic research and rescuing data and systems to negotiating with attackers, and dealing with customers and staff who have been affected. This can be a real lifeline when dealing with an incident your business has never experienced before.
What does cyber insurance cover?
Cyber policies fall into first-party and third-party. In the event of an attack, most policies will cover financial and reputational costs if your data or systems have been lost, damaged, stolen or corrupted.
For you – the first-party – cover should include the cost of investigating a breach, recovering lost data, restoring your systems, loss of income, reputation management, and the cost of notifying any customers or third parties affected. Third-party coverage (claims against you) includes damages and the cost of defending yourself against claims of a GDPR or data protection breach.
What doesn’t cyber insurance cover?
As with all insurance, there are exclusions. Cyber insurance generally doesn’t cover potential future lost profits, or the loss of value of your business from the theft of your intellectual property.
More importantly, ransomware – money paid to hackers – may not be included, or only as an optional extra. Ransomware cover can be very expensive and, combined with cost pressures elsewhere, a lot of organisations are choosing to buy less insurance, hold on to more of the cyber risk themselves, and pay the ransom if they’re breached. When your business is on the line, after all the hard work that got you there, you’re not going to say no unless you’re 100% sure you can recover.
It’s worth noting that most governments and law enforcement agencies recommend against paying, or expressly forbid it. In our opinion, all options should be available to you, because if you can’t pay the ransom then you can’t determine your own future – with the caveat that these people are criminals. In the US, if proven that you’re paying a ransom to people on the sanctions list, you’re breaking the law and can go to prison. There are no cases of that happening yet, but more organisations are acting defensively because of it.
Remember that there may be no good option if you’re breached – you either go to prison, or you go out of business. So, you need to do everything you can to avoid being put in such a position by implementing a robust vulnerability management program.
How much does cyber insurance cost?
Your premium will depend on factors such as revenue, the industry you work in, the type of data you hold, and what cyber security controls you have in place. Policies can start from just £10 a month for a startup, so insurance doesn’t need to be out of reach.
Industries like healthcare or finance are more attractive to hackers. Because of the sensitivity of the information they hold, the levels of cover needed and resulting premiums can make insurance extremely expensive. Some insurers may even refuse to offer cover completely because of the rise in cyberattacks.
What do insurers require?
To keep your premiums down, insurers expect you to show that you’re committed to cyber security. They want to know that you practice good cyber hygiene and have robust security controls in place as part of an organised and proactive effort to manage cybersecurity risk.
Today, that means more than just anti-virus/malware protection, patching, staff training and a response plan. Insurers now scrutinise security controls and operational security and see what internal processes and standards you have to manage risk. Here are five tips to ensure you get adequate coverage and keep your premiums down.
1. Vulnerability management
Vulnerability management should be the starting point of every cybersecurity program. This includes vulnerability scanning, penetration testing, patch management and remediation.
Vulnerability management helps insurers understand the risks to your systems and data, so they can determine the appropriate level of coverage. There are several powerful and effective online tools like Intruder that will uncover known vulnerabilities and provide a summary of alerts for you to act on.
Regular vulnerability scanning should be paired with scheduled penetration testing for more in-depth, manual analysis. If the threat is low, insurers will be satisfied that you’ve taken steps to protect your data to avoid costly breaches.
Scanners like Intruder will also uncover any open ports and SSL/TLS certificates that have lapsed, as well as scan for vulnerabilities in your cloud-based services, and internal and external systems. These internal scans will also identify any endpoints needing critical software and firmware security patches.
2. Create an incident response plan
Insurers generally want to know how you’ll mitigate the immediate financial costs (how you will prevent further damage and ensure business continuity) and how you will manage in the long term (notifying regulators and helping affected customers) of any breach.
The quicker you can respond to a security incident, the less severe the damage will be and the less they’ll have to pay out. NIST’s Computer Security Incident Handling Guide is a good place to start for an incident response plan.
3. Protect your data, wherever it is
Your data is always on the move, whether it’s sent to a third party, uploaded to the cloud or held on portable devices like laptops and USBs. This always involves risk. The information is no longer protected by your network defences and can easily be compromised if it’s lost not encrypted.
That’s why insurers expect you to apply appropriate controls like encryption and multi-factor authentication (MFA). Vulnerability scanners can help uncover out-of-support or legacy systems sitting out of sight in your network – but which could still be an easy target for attackers.
4. Check compliance and certification
When you share information with third parties or use their services, you also share the risk. Check the security controls and practices of anyone you intend to work with. Some organisations and insurers expect you and your suppliers to have ISO 27001 or SOC 2 certification, both of which require regular vulnerability scanning and penetration testing.
5. Train staff in good cyber hygiene
The human factor is often overlooked, but employees will inevitably make mistakes that run the risk of compromising your systems and sensitive information. Ensure they understand the risks and why they need to stay vigilant with regular cyber hygiene training.
Pair insurance with vulnerability management
The role of cyber insurance may come after a breach, but it remains a useful component of any organization’s vulnerability management strategy because nobody is immune to ransomware, malware, DDoS attacks or other cyber threats.
And as the threat landscape gets ever more complex, some organizations will turn to cyber insurance for an added layer of protection. If you decide insurance is right for your business, you can demonstrate your commitment to cyber security with a vulnerability scanner and harden your security posture at the same time.
If you’re looking at insurance for the first time or trying to reduce your premiums, use Intruder to show that you take your cyber security seriously. Start your free trial today.
- Raw CVE Coverage
- Risk Rating Coverage
- Remote Check Types
- Check Publication Lead Time
- Local/Authenticated vs Remote Check Prioritisation
- Software Vendor & Package Coverage
- Headline Vulnerabilities of 2021 Coverage
- Analysis Decisions
Red teamers, security researchers, detection engineers, threat actors have to actively research type of vulnerability, location in vulnerable software and build an associated exploit.
Tenable release checks for 47.43% of the CVEs they cover in this window, and Greenbone release 32.96%.
Red teamers, security researchers, detection engineers and threat actors now have access to some of the information they were previously having to hunt themselves, speeding up potential exploit creation.
Tenable release checks for 17.12% of the CVEs they cover in this window, and Greenbone release 17.69%.
The likelihood that exploitation in the wild is going to be happening is steadily increasing.
Tenable release checks for 10.9% of the CVEs they cover in this window, and Greenbone release 20.69%.
We’re starting to lose some of the benefit of rapid, automated vulnerability detection.
Tenable release checks for 9.58% of the CVEs they cover in this window, and Greenbone release 12.43%.
Any detection released a month after the details are publicly available is decreasing in value for me.
Tenable release checks for 14.97% of the CVEs they cover over a month after the CVE details have been published, and Greenbone release 16.23%.
With this information in mind, I wanted to check what is the delay for both Tenable and Greenbone to release a detection for their scanners. The following section will focus on vulnerabilities which:
- Have CVSSv2 rating of 10
- Are exploitable over the network
- Require no user interaction
These are the ones where an attacker can point their exploit code at your vulnerable system and gain unauthorised access.
We’ve seen previously that Tenable have remote checks for 643 critical vulnerabilities, and OpenVAS have remote checks for 450 critical vulnerabilities. Tenable release remote checks for critical vulnerabilities within 1 month of the details being made public 58.4% of the time, but Greenbone release their checks within 1 month 76.8% of the time. So, even though OpenVAS has fewer checks for those critical vulnerabilities, you are more likely to get them within 1 month of the details being made public. Let’s break that down further.
In Figure 10 we can see the absolute number of remote checks released on a given day after a CVE for a critical vulnerability has been published. What you can immediately see is that both Tenable and OpenVAS release the majority of their checks on or before the CVE details are made public; Tenable have released checks for 247 CVEs, and OpenVAS have released checks for 144 CVEs. Then since 2010 Tenable have remote released checks for 147 critical CVEs and OpenVAS 79 critical CVEs on the same day as the vulnerability details were published. The number of vulnerabilities then drops off across the first week and drops further after 1 week, as we would hope for in an efficient time-to-release scenario.
While raw numbers are good, Tenable have a larger number of checks available so it could be unfair to go on raw numbers alone. It’s potentially more important to understand the likelihood that OpenVAS or Tenable will release a check of a vulnerability on any given day after a CVE for a critical vulnerability is released. In Figure 11 we can see that Tenable release 61% their checks on or before the date that a CVE is published, and OpenVAS release a shade under 50% of their checks on or before the day that a CVE is published.
So, since 2010 Tenable has more frequently released their checks before or on the same day as the CVE details have been published for critical vulnerabilities. While Tenable is leading at this point, Greenbone’s community feed still gets a considerable percentage of their checks out on or before day 0.
I thought I’d go another step further and try and see if I could identify any trend in each organisations release delay, are they getting better year-on-year or are their releases getting later? In Figure 12 I’ve taken the mean delay for critical vulnerabilities per year and plotted them. The mean as a metric is particularly influenced by outliers in a data set, so I expected some wackiness and limited the mean to only checks released 180 days prior to a CVE being published and 31 days after a CVE being published. These seem to me like reasonable limits, as anything greater than 6 months prior to CVE details being released is potentially a quirk of the check details and anything after a 1-month delay is less important for us.
What can we take away from Figure 12?
- We can see that between 2011 and 2014 Greenbone’s release delay was better than that of Tenable, by between 5 and 10 days.
- In 2015 things reverse and for 3 years Tenable is considerably ahead of Greenbone by a matter of weeks.
- But, then in 2019 things get much closer and Greenbone seem to be releasing on average about a day earlier than Tenable.
- For both the trendline over an 11-year period is very close, with Tenable marginally beating Greenbone.
- We have yet to have any data for 2021 for OpenVAS checks for critical show-stopper CVEs.
With the larger number of checks, and still being able to release a greater percentage of their remote checks for critical vulnerabilities Tenable could win this category. However, the delay time from 2019 and 2020 going to OpenVAS, and the trend lines being so close, I am going to declare this one a tie. It’s a tie.
The takeaway from this is that both vendors are getting their checks out the majority of the time either before the CVE details are published or on the day the details are published. This is overwhelmingly positive for both scanning solutions. Over time both also appear to be releasing remote checks for critical vulnerabilities more quickly.