August 24, 2022

By Darren Hulem, CISA, CEH, Security+, Supervisor, IT and Risk & Advisory Services

As cyberattacks grow in frequency and complexity, organizations are asking, “Is Cyber Insurance worth it?” The short answer is “Absolutely!” Before contacting an insurance company, we recommend some research and due diligence to position your organization for reasonable rates. Coverages can vary from carrier to carrier, and can include business interruption, breach remediation coverage, reputational damage, cryptojacking losses, and invoice manipulation, for example. According to the Government Accountability Office (GAO), the number of organizations enrolling in cyber coverage has increased from 26% in 2016 to 47% in 2020. With more and more organizations opting-in for cyber coverage, premiums have increased, and insurers are taking steps to limit their exposure to losses.

GAO Data - Change in Cyber Insurance Premiums, 2017-2020

What are insurers asking?

When renewing or shopping for cybersecurity insurance, know that insurers will ask a variety of questions to see what your organization is doing to protect itself. Some questions that you may see on your application include:

  • Does your organization have a written Information Security Policy?
  • Does your organization store, use, or transmit personally identifiable information?
  • Does your organization use any of the following technologies/practices?
    • Application Whitelisting, Email Filtering, Firewall, Web Content Filtering, Employee Awareness Training, Encryption, Network Monitoring, Vulnerability Scanning, Penetration Testing
  • Does the organization have a Disaster Recovery Plan? If so, how often are backups taken? Are they saved in multiple locations?
  • Does the organization deploy multi-factor authentication (MFA)?

During the underwriting process, insurance carriers may also perform an Open-Source Threat Intelligence (OSINT) scan on your organization to assess its cyber risk level, which determines the risk exposure for the insurer. You may ultimately be denied cyber insurance coverage based on poor cyber scan results.

Note, there can be negative insurance implications if your organization is assessed to have poor controls including. An insurance carrier can decline to offer coverage, or it might impose sublimits, coinsurance, or exclusions.

How GRF Can Help

GRF believes the best starting point is to get a cyber risk assessment of your organization so you can improve your cyber score and get better insurance rates. Our technology is comprised of some of the same technology that your future insurance provider may leverage as part of their due diligence process. For help or next steps please feel free to reach out to us at the contact info below.

GRF Darren Hulem

Darren Hulem, CISA, CEH, Security+
Supervisor, IT and Risk & Advisory Services



GRF Melissa MusserMelissa Musser, CPA, CITP, CISA
Partner and Director, Risk & Advisory Services