Cyberattacks are inevitable, but cyber insurance can help you recover. Here’s how to strengthen your cybersecurity posture and become a more attractive prospect for UAE cyber insurance providers, lowering premiums and improving your security posture.
We live in a world where cyber breaches are a matter of ‘when’ and not ‘if,’ and cybersecurity leaders and business executives can only hope to manage their risks rather than eliminate them. For many, part of the solution is to take out insurance against these costs related to breaches, which include everything from court-awarded damages to ransomware payments.
Cyber insurance in the UAE is big business. SMEs can expect to cover between $270,000 and almost $1 million, and larger enterprises will likely cover themselves up to $100 million. And demand for these services is on the rise. Some predictions for the growth of the UAE cyber insurance market are greater than a 25% CAGR between 2023 and 2028.
However, an increase in the number of incidents and claims has led insurance providers to scrutinise applicants more thoroughly. They will examine the finer points of cybersecurity and risk management, asking a company how it protects endpoints, cloud environments, and Web applications. CISOs now must craft policies to align with insurance requirements.
People, processes, and technology are all part of underwriters’ considerations, so CISOs must consider them, too, while collaborating with other executives on the balance between safety and business agility. Premiums will shrink over time for those organisations that get the balance right. So, here are five areas to work on that will make your organisation a more attractive prospect to cyber insurance providers.
People
Of course, the UAE faces a security skills shortage, which calls for innovative thinking when delivering cyber hygiene. Automated patching is a great start. By automating rollouts to a select group and testing them, the same patch can be deployed at scale once it is established as safe. This allows the security function to ramp up its capabilities to meet modern pressures.
Technology
You cannot prove yourself a good prospect to an insurance company if you cannot confidently list the digital assets under your protection. Compiling an asset register in today’s sprawling environments is a job for technology; this is an inescapable fact. We are way beyond the simplicity of endpoints and servers in on-premises networks. We need to protect (and, therefore, capture information about) cloud deployments, containerized applications, and various other evasive elements.
Supply chains
Attackers will target anything—software libraries, container templates, public images. Teams need to know what is installed and what elements it is composed of. On top of this, they need to know what is running in real time. This creates rivers of telemetry, however, so you need to ensure your security team is equipped to handle it with a threat-prioritization approach that makes sense to your individual business.
Also Read: What is the Roadmap to Effective Cybersecurity Strategies?
Collaboration
If something needs to be changed, teams need to coordinate their activities. This cross-team collaboration needs to be monitored and assessed so you can show insurance companies what you do, how you do it, and how effective you are at doing it. Standard metrics such as mean time to detect (MTTD) and mean time to remediate (MTTR) will be useful. But to stand out, including mean time to communicate (MTTC), which measures the duration of team coordination and alignment, is a significant step in response processes. MTTC data can identify opportunities for improvement in communication flow and work practices.
Living with risk
Sometimes, an organisation may have to run critical systems out of support. The degree of business disruption caused by an update or replacement may entirely negate the possibility of implementation. In many cases, insurance companies would see this as too great a risk. Such issues should be thoroughly and transparently documented, and mitigation measures should be in place to have any chance of being offered coverage.
CISOs and other senior business leaders may have to make hard decisions that account for business necessities while allowing the enterprise to remain compliant with regulations. In some cases, compensating controls and workarounds will allow stakeholders to find this middle ground and convince their cyber insurance provider that the approach is robust enough to warrant coverage.
Cleaning house
How can we make ourselves more attractive to insurance providers and less attractive to attackers? Insurance companies are aware that cybersecurity teams need to get it right every day, whereas it only takes one bad day for attackers to tear it all down.
Cyber insurance is a critical component of recovery if the worst should happen, but providers are becoming more cautious. This does present an opportunity for all of us, however. This is the time to clean house, improve planning, and get smart about risk management. CISOs can consolidate their human and digital resources and find ways to optimise while managing their risk. Putting a claim on one’s cyber liability policy is a nightmare, even with insurance. So, why not work to prevent it and qualify for better, cheaper coverage?
