The reality of today’s world is that cyber attacks are becoming increasingly more common. During the COVID pandemic, as organizations went to remote work models, attacks increased by 358%, and since then, an upward trend has continued. The cost of a data breach is significant and rose to an all-time high this year, according to an IBM security report. But tech startups are particularly vulnerable. The National Cyber Security Alliance reported that 60% of startups go out of business within six months of a breach. Since startups lack the foundational longevity, assets and cash flow of their more established counterparts, combined with the fact that data privacy laws increase companies’ responsibility in protecting data, this means cyber attacks place more pressure on such companies. 

As a tech startup, a cyber policy is not only a no-brainer for risk mitigation, but the cost of doing business, since it may be included in your contracts with clients. 

Why Cyber Insurance Premiums Have Risen

Cyber insurance premiums increased by an average of 28% in the first quarter of 2022 compared with the fourth quarter of 2021, according to the Council of Insurance Agents & Brokers (CIAB), an association for commercial insurance and employee benefits intermediaries. Among the primary drivers for the continued price increases were a reduced carrier appetite for the risk and high demand for coverage, CIAB said. The high demand for cyber coverage is in part fueled by greater awareness among companies of the threat cyber risk poses for businesses of all sizes. Reinsurers and carriers are dropping out of the cyber arena which also impacts the cost as demand outpaces supply.

Since cyber coverage isn’t optional within the tech space, the key is to qualify for coverage and obtain the right coverage at the right price.

Steps to take to potentially Lower your Cyber Premiums

‍1. Implement a robust cybersecurity program

Proper cybersecurity is important when lowering cyber insurance premiums because it reduces the risk of a data breach or cyber attack. Cyber insurance providers base their premiums on the level of risk associated with providing coverage. The more secure your startup is, the less risk of a successful cyber attack and the lower the premiums for cyber insurance. But keep in mind that an important element to a solid cybersecurity program is ensuring that it is a Written Information Security Program (WISP) and that it is well documented. This promotes a culture of security within an organization. By implementing strong cybersecurity measures, organizations can reduce their risk and save money on cyber insurance premiums.

A good security posture could also increase your coverage level and even hasten payouts following a cyber incident. Awareness of the threat landscape influencing risk exposure is the foundation of an effective cybersecurity program. Aspects of a successful program that insurers look for include:

• Multi-factor authentication
• Implementation of a cybersecurity framework (the CIS 18 Framework is most relevant for startups and tech companies and it’s recommended by governmental organizations like the FFIEC)
• Zero-trust architecture
• Vendor risk management program
• Cyber incident response plan
• Cybersecurity training for staff
• Regular penetration testing
• Reliable and tested data backup process

If you have a cybersecurity program, or have any of the above measures in place, be sure to communicate it to your cyber insurer so it can be taken into account with your insurance coverage.

2. Obtain third-party cybersecurity certifications

A certification issued by a third-party assessor may significantly reduce premiums by offering evidence that your cybersecurity and IT compliance program operates within the guidelines of reputable governing bodies. The following certifications are the most helpful to have:

• PCI DSS: This certification proves that a business is compliant with the Payment Card Industry Data Security Standard, which is a mandatory requirement for companies that process credit card payments. 
• SOC 2 Types 1 and 2: These are auditing standards that evaluate the effectiveness of an organization’s controls for data security, availability, processing integrity, confidentiality and privacy. 
• SOC for Cybersecurity: This is a framework that provides guidelines for organizations to develop and implement a cybersecurity risk management program. It’s designed to help organizations better understand and manage their cybersecurity risks and provide a standardized approach to evaluating the effectiveness of a cybersecurity program.
• ISO 27001:2013: This certification helps businesses demonstrate their commitment to information security, and can help reduce insurance premiums. 
• SSAE 16/SOC 1: This certification demonstrates that an organization’s control systems are designed to meet certain standards and can help reduce the risk of a security breach. 

3. Implement software and technology to support cybersecurity processes

The right technology solution makes it easier to provide effective cyber risk management, and demonstrate IT compliance to underwriters and other third-party assessors. However, keep in mind that expertise is necessary to implement technology solutions. If you do not have this expertise in house, a Managed Security Service Provider (MSSP) can provide the expertise to implement these solutions. 

The following are the top software and technology options your startup should consider:

• Web Application Firewalls or Runtime Application Self-Protection (RASP): These are needed to provide an additional layer of security to web applications by detecting and blocking attacks in real-time before they reach the application, protecting against vulnerabilities and ensuring the integrity of user data.
• User Behavior Analytics (UEBA): UEBA is necessary to detect and respond to anomalous user activity, insider threats and other advanced attacks by analyzing user behavior and identifying deviations from established patterns or baselines.
• Endpoint Detection and Response (EDR): EDR is needed to provide real-time monitoring and response to advanced threats targeting endpoints, helping to detect and contain attacks before they can cause significant damage to an organization’s systems and data.
• Encryption Software: Encryption is a process that scrambles data for secure transmission. Encryption software is used to ensure that data is secure when being transmitted over a network or stored on a computer system. 
• FIDO Hardware Security Keys: Organizations need FIDEO hardware security keys to provide strong, two-factor authentication that is resistant to phishing attacks and helps protect against unauthorized access to sensitive systems and data.
• Data Loss Prevention (DLP) Solutions: DLP solutions are used to monitor and control the transfer of sensitive data. It can prevent data from being sent to unauthorized locations or accessed by unauthorized personnel. 
• Security Information and Event Management (SIEM) Solutions: SIEM solutions are used to collect, analyze and alert administrators of security-related events. It can detect malicious activity and provide insights into how attackers are trying to penetrate a network. Security Orchestration and Automated Response (SOAR) is often integrated with SIEM solutions to provide a comprehensive approach.
• Cloud Security Posture Management: This is needed to ensure cloud infrastructure for an organization is configured according to best practices, compliant with regulations and protected against misconfigurations, data breaches and other risks.
• Data Security Posture Management: Organizations must implement this to protect sensitive data throughout its lifecycle and often to comply with regulations and industry standards.
• Dynamic/Static Application Security Testing: A critical addition to a cybersecurity program, this helps identify vulnerabilities and security flaws in applications before they can be exploited by attackers.
• Software Composition Analysis (SCA): SCA is necessary for startups to detect and manage open source components and third-party software in their applications, identifying vulnerabilities and ensuring license compliance.

Cyber Coverage as Your Startup Scales

As your tech startup progresses through different stages or milestones, your cyber coverage will need to adapt to meet your needs which means changes in limits and premiums. For example, financial growth translates to higher premiums and higher retentions/deductibles may be required, although these can be used to also manage premiums. 

Also, as your startup progresses through each stage, you’ll have increased publicity. This can make you a target to cyber criminals, so cyber insurance needs to scale with you as you grow. If you base your limits on your current stage, it will soon be outdated, so when considering limits, think about the year ahead and have growth and future plans in mind. For example, in the coming year, will you launch new operations? Or add new employees? These developments can change your cyber landscape and thus your cybersecurity program and insurance.

Right-sizing Your Policy

You may be wondering how to know if a cyber policy is the right fit for your tech startup. We like to call this right-sizing. By right-sizing your cyber insurance policy, it guarantees you have the right coverage for the risks associated with your startup. After all, you don’t want to pay for coverage you don’t need. And a policy that’s tailored to the specific risks of your business means you’re adequately protected in the event of a data breach or other cyber incident.

To right-size a policy, start by assessing your current security needs and risk profile while identifying any areas of risk or gaps in coverage that need to be addressed. You’ll also need to develop a budget for your cybersecurity program that takes into account your expected growth that incorporates additional staff, resources and operations. New threats that align with your milestones, or new technologies, will need to be addressed that stem from your changing needs. 

Implementing the right cyber insurance also requires research. But keep in mind: As a tech startup, your needs are different from established organizations with a track record and revenue. Oftentimes, traditional insurance companies are hesitant to underwrite  startups that don’t have a long financial history, and may see startups as higher-risk. Thus, traditional insurers may not be willing to shoulder the risk associated with insuring a startup.

This is why it’s important to work with a knowledgeable insurance company and advisor who is well versed in venture-backed startups, so that your policy is tailored to your exact needs. 

How Vouch Meets the Changing Needs of Your Startup

Understanding the insurance needs of tech startups is exactly what we do. We can help with negotiating contracts and right-sizing your policy for your needs and future growth–being proactive rather than reactive. Our Insurance Advisors will recommend coverage, limits and retentions that we think are appropriate based on your industry and for every stage. Overall, Vouch re-engineered cyber insurance for tech startups, just like you, to provide the right policy at the right time, negotiate on your behalf with contract requirements, remove hidden fees and reduce your amount of paperwork. 

To find out more about Vouch’s cyber insurance policies, click here.