There are a variety of ways to do this. It’s not just one insurance company that decides how much your premium is, it’s more.
There are around 30 ways to choose from. It includes having the best cyber security controls in place, like having:
(1) EDR , 24/7 monitoring, security monitoring, and doing penetration tests
If we’re doing all these things – it puts us in the position where we can interact with the best insurance carriers in this space that are going to have the lowest premiums to start with.
So it’s almost like a double interaction here. First, you filter the best or top choices which are going to give better premiums. Then, you present that you have the right things they’re looking for (e.g. security controls), then your premium should be the best possible.
(2) Implement a strong password policy
I (Joe) think everyone struggles with this, myself included. At times, it’s because you’ve got a million passwords and you need to keep track of them. Email monitoring is so important but it takes a little extra time. Being thoughtful about passwords and email is so important and surprisingly effective that limits your exposure to a lot of risks.
(3) Connect with an IT expert
If you have taken the steps to connect with an expert like Wayne Royeof Troinet, they would recommend you implement a comprehensive approach. From an insurance perspective, it gives you not only the best options but also the lowest premium, and hopefully lower retention too.
Sometimes it’s a sliding scale. You need not consider low premium only, but also you have to factor in the retention/participation clause because it’s a sliding scale. You may have a low premium but the retention rate is very high amounting to twenty-five thousand dollars ($25,000) per incident.
So, when you have advantageous controls, you can look for a lower premium and lower retention which puts you in a much better place. If you are to look at the yearly cost of a potential incident, you have to factor in not just the premium but also the retention/participation rate.
“You may have a low premium but the retention rate is very high”
The Main Challenge of SMBs in cyber insurance
(4) Proof or Documentation of Due Diligence
Provide proof of due diligence. I’ll keep it as simple as possible: remember in Court, what doesn’t get documented. never happened. You need to be able to provide proof that you’ve done due diligence to protect your company, employee, vendor, and client information. Between getting the cyber insurance applications as well as if something happens – that’s what they’re looking for. They want to know, can you provide:
- a list of all the assets that access company data
- logs of any activity
- reported remediations
- if there’s an attack, can you produce a root cause analysis of who, what, where, and why?
Remember to document these conversations if you have a claim or you have to go into litigation.
“You need to be able to provide proof that you’ve done due diligence to protect vital information”
IT support and IT security are two different things and I (Wayne) am going to harp on this. I give you an example: I don’t go to my General Practice physician for heart surgery. He can give me general advice but not expecting him to do the work.
Most insurance providers talk about things like reducing your policies, and increasing your cyber security controls – they’re looking to make sure that you’re doing the right things and be able to document and show proof of what’s happening.
There’s a lack of understanding among SMBs of what are the vital proof of diligence. But at Troinet, we’ve looked at the problem and we’ve built out toolsets.
These solutions will give your company the ability to follow the best security practice. Work with our company and you will see all these things. We’ve put all the pieces for that puzzle so that if you ever have to go out and renew your policies, you’re in the best light possible. If there’s a claim or if there’s a lawsuit, you can go back now and physically have the proof that “hey, I’ve done due diligence.” It’s not saying, “hey, I got an IT company and an antivirus” because that’s not going to fly in a court of law since that’s not due diligence and it’s not well-documented. We’re able to help you with that we have the tools in place.
“Work with our company and you will see all these things. We’ve put all the pieces for that puzzle so that if you ever have to go out and renew your policies, you’re in the best light possible.”
