In recent years, the average annual cost of cyber attacks to small and medium sized businesses has been $25,000 and $50,000 respectively. For enteprise size companies, the cost rises to $504,000 annually. With this reality, it's unsurprising that cyber insurance has become big business, with rising premiums for business owners.
Consider these statements from major cyber insurance vendors:
"Cyber prices continue to exceed expectations” - Beazley, the Lloyds of London Insurance company
...
"...significant growth in cyber rates" - Hiscox
...
"This encouraging trend will be a tail wind to full-year profits" - Citi
In the same vein, the U.S Department of Homeland Security has advocated for a robust cybersecurity insurance market as way to:
"...help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured's level of self-protection." - U.S Dept. of Home Land Security
We must add that Resilient is not against cyber insurance. Like any other insurance market, it exists to provide coverage in the event of unexpected loss or negligence. We are only emphasizing that cyber insurance is designed to be more costly for companies with perceived negligence in security due diligence. In fact, when applying for or renewing your cyber insurance, you can expect to be asked about what your security practices are.
For SaaS companies, which we serve, here are some foundational things you should be doing to protect your customers and lower your cyber insurance cost:
Adopt a Secure Development Lifecycle, that ensures that security is built into every phase of software development.
Right from your product concept and architecture stages, perform threat modeling to ensure that your product is Secure By Design.
Design your product architecture to effectively leverage the compliance and security capabilities of major IaaS providers like Amazon, Google, and Microsoft
Always encrypt sensitive customer data at rest and in transit.
Build secure code reviews into your software development process, such that security sensitive code is manually reviewed before code is merged to master or pushed to production.
Run or automate static analysis to check your code for security flaws.
Use fuzz testing to automate security testing of your software APIs.
Perform periodic penetration tests and security audits to verify the robustness of your security controls.
Use automation to monitor and patch your software supply chain for software vulnerabilities.
Be compliant with the security standards that are relevant to your industry.
Doing any of the above will give cyber insurers great confidence in your due diligence and protection against cyber attackers. No, it doesn't mean you can't be attacked. But it does mean you'll be harder to crack. This is important, because most cyber attackers are looking for easy openings - the less time they need to invest, the more profit they get to keep.
As you will notice from the links in the list, we have different articles on our site that highlight tips, tools, and tricks for accomplishing the foundational steps above. Additionally, if you're the DIY-type, you can find more in-depth guidance in our books, templates, and courses.
You don't have to hire us, but you've got to do something.
What Resilient has going for it is a team with over 60 years of combined experience in securing startup and enterprise software platforms. Software is our space, Security is our jam.