In 1H 2021, businesses spent $590M on ransomware payments compared to just $416M in all of 2020. As the pace and impact of ransomware and malware attacks continue to grow in the U.S., many businesses are opting for cyber insurance. However, these same forces are also causing spikes in the cost and requirements for such coverage.

“The cost of cyber insurance is based in part on the frequency, severity, and cost of cyberattacks, all of which have been increasing. The uncertainty about future threats also plays a role, and insurers have become more selective about who and what gets covered.”[1]
Most insurers are requiring businesses to have 12 specific security controls in place before coverage is granted.
In fact, previously covered businesses may now need to prove compliance with these controls to renew their pre-existing policies.
12 Security Control Requirements for Cyber Insurance
- “Multifactor authentication – employing a combination of verification factors to access the network, such as password or pin, along with a security token, mobile app, or a biometric identifier.
- Endpoint detection and response – using machine learning and continuous monitoring to identify stealthy threats to laptops, tablets, and mobile phones.
- Secure backups – ensuring your business has an immutable backup, which is isolated from local systems, to enable you to recover lost data when necessary.
- Network access controls – enforcing least-privilege access principles to ensure staff only have access to data and systems necessary to perform their jobs.
- Filter content – using content filtering solutions to mitigate data leakage.
- Patch management – having a patch management plan which includes a framework for prioritizing, testing, and deploying patches.
- Incident response planning – developing an incident response plan that outlines specific procedures for detecting, responding to and recovering from a cyberattack.
- Cybersecurity awareness training – providing regular security awareness training to teach staff how to identify signs of an impending attack.
- Secure remote access – applying encryption and multi-factor authentication to your remote desktop protocol practices.
- Monitor event logs – enabling security event logging for all systems, software and endpoint devices and actively reviewing and analyzing those logs to detect attacks.
- Replace end-of-life systems – Replacing outdated applications and systems before they go end-of-life and have security vulnerabilities.
- Manage supply chain risk – evaluating your suppliers’ security practices and incorporating security requirements into their contracts.[2]
Hire or Do it Yourself

There are two approaches a business can take to achieve these 12 security controls:
They can hire the necessary IT staff and technologies, but this route can be very expensive and take a lot of time to accomplish. This may also require existing staff to be pulled away from other strategic projects as well, which could slow momentum on those important fronts.
The other option is to hire a cyber consulting firm who can employ these controls for you as well as monitor your business around-the-clock to holistically protect your business and your brand from all internal and external threats. This approach frees up your existing staff and alleviates the burden of having to allocate continual resources to this ongoing effort.
Some cyber consulting firms claim to have clients that never had to pay out a cyber ransom. These are the types of service providers you should look for. While it is a good idea to have cyber insurance, it is even better to never have to use it.
Proactive Security Best Practices
The most prudent approach to cyber protection includes a combination of the 12 security controls, cyber insurance, and a proactive prevention strategy.
Either on your own or with the aid of a service provider, consider employing these additional security measures:
- Conduct deep penetration testing, active device scanning and threat modeling.
- Closely monitor the latest and most trusted threat feeds and intelligence reports.
- Deploy security information and event management software (SIEM) that ingests system events from your desktops, servers, network, and mobile devices to identify threats and perform end user behavioral analyses
- Perform frequent forensic security reviews to identify previously undetected anomalies
- Use security software to identify policy-violating configurations, malware and viruses hidden across your organization.
As the state of cyber security is ever-evolving, and the cost of cyber insurance is ever-increasing, now is the best time to ensure your security defenses – all of them – are fortified and active. You never know when and where that next attack is coming from, and you want to be sure your business, network and staff are ready. Yes, you may have cyber insurance in place, but you don’t want to have to rely on it. At that point, it’s already too late.
Visit us here to download our white paper on Cybersecurity Laws & Fines in Financial Services.
[1] “Rising Cyberthreats Increase Cyber Insurance Premiums While Reducing Availability”, U.S. Government Accountability Office, July 19, 2022.
[2] “Cyber Insurance Checklist: 12 Essential Security Controls”, Global Data Systems, July 2022.
[3] “Cyber Insurance Checklist: 12 Essential Security Controls”, Global Data Systems, July 2022.