Why Your Eligibility for Cybersecurity Insurance May Depend on Your Backup and Disaster Recovery Strategy

April 21st, 2022

Having a solid backup and disaster recovery (BDR) plan backed with effective BDR technology is good sense. It will help a business get back on its feet quicker after a natural disaster, IT failure, outage, or human error, minimizing downtime, reputational damage, and noncompliance. Most businesses don’t need too much convincing that they need BDR solutions. But just in case you need one more reason, some carriers require BDR solutions before they’ll write your cybersecurity insurance policy. Here are three FAQs and answers to explain why.  

What is Cybersecurity Insurance?

With cyberattack activity increasing in frequency and sophistication, protecting your business with cybersecurity insurance may be a smart move. Companies can purchase cybersecurity insurance to reduce the financial risks from an attack. It’s more than errors and omissions (E&O) policies that businesses often carry. Cybersecurity insurance covers the costs of legal fees, repairing damage to a business’s IT systems during the attack, recovering data, notifying customers about the attack and monitoring and security customers’ identities and accounts.  

Why Do Cybersecurity Insurance Carriers Require BDR?

Ransomware is taking a phenomenal toll. Sophos reported the average ransomware recovery costs had more than doubled from $761,106 in 2020 to $1.85 million in 2021. If the ransomware victim had cybersecurity insurance, this increase fell squarely on insurers struggling to balance risks and coverage in a rapidly changing cyberthreat landscape.  

Additionally, underwriters have little visibility into a business’ cybersecurity status. Without providing the standards that they base their risk analyses on, they’d have little to base a decision on whether a business is high- or low-risk for falling victim to an attack.  

Cybersecurity insurance companies also know secure backups will help a business restore data more quickly and reduce the costs of recovering after an attack. A well-planned strategy, such as Veeam’s 3-2-1 backup rule, ensures you have recoverable data. With this plan, you keep three copies of data on at least two different types of media and at least one copy off-site. To strengthen this plan, ensure one copy is offline – therefore out of reach of a ransomware attack — and always ensure that backup copies have zero errors.  

What Else Do Businesses Need to Qualify for Cybersecurity Insurance?

Although BDR solutions can shorten the time to get ransomware attack victims up and running again, they are by no means the only things insurers are looking for when assessing risk. Depending on the insurer, you may also need to certify that your business has:  

  • A firewall to protect your network 
  • Updated antivirus solutions on all PCs and computers 
  • Access control with user permissions assigned and managed according to company policy 

Additionally, if you operate a business in a regulated industry, your cybersecurity insurer will also look for proof of compliance with industry regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and SOC 2. These regulations include security and data protection requirements, and complying will demonstrate to insurance carriers that your business is doing what it can to mitigate risks.  

The Elephant in the Room

There’s another reason insurers may require you to take measures to protect your business and your customers from cyberattack: It’s to avoid insurance becoming a crutch. It’s possible that some companies or organizations could take the position that with the insurance, they don’t need cybersecurity solutions – if they’re attacked, costs are covered.  

However, from a cybersecurity insurance carrier’s perspective, it’s too much risk to take. To be approved for a cybersecurity insurance policy, you will need to prove you’re willing to take responsibility and do all you can to ensure the chances of making a claim are low. 

Cybersecurity insurance, along with backup and disaster recovery and other measures to protect your network and your data, should all be a part of your IT security strategy.  

To learn more about backups, recoverability, and data retention using Veeam that meet regulatory compliance and cybersecurity insurer requirements, contact Virtual Systems 

Leave a Reply

Let's Talk