Rising Cyber Insurance Premiums and the question of Data Immutability

According to McGrathNicol, over the last 5 years, 69% of Australian companies have been targeted by a cybersecurity attack, with some of these attacks largely mediatised.

Consequently, cybersecurity insurance companies have become very careful about what they protect and how much they are willing to cover. Not only have they brought in a steep increase to their premiums over the last 12 months, but they have also added more questions to their questionnaires in order to assess a client’s threat protection mechanisms. Nowadays, even obtaining a cyber insurance policy is no longer guaranteed. Some experts argue that by relying on these generalised questionnaires, insurance companies only get a very limited view of an organisation’s protection mechanisms and that they should rely on expert vendor assessments instead but, at present, those questions could make or break your ability to get insured against cyber incidents.

The question of data immutability

If you have had to renew your cyber insurance policy recently, you would have noticed among the additional questions a specific one regarding data immutability in backup. Data immutability, previously known as WORM (write once, read many), is a way to protect your organisation’s essential data from malicious adversaries by preventing anyone to modify or delete it.

Previously done using a mix of hardware and software, it is now mostly reliant on software solutions with backup providers offering different options to customise the level of restriction you want to apply. There is no question that organisations wanting to protect their key data should have a process around immutability in backup but, with the increase in cybersecurity-related investments, how do you decide what data to make immutable and how much of your budget to invest?

From backroom to boardroom

As Vasu Jakkal, corporate vice president of security at Microsoft put it, cybersecurity has now moved from a backroom conversation to a boardroom conversation. And when it comes to the question of what data represent the crown jewels for your organisation, and what data is essential for your business to keep operating, it is ultimately a boardroom conversation and a boardroom decision.

Organisations need to decide what data they can afford to lose access to without impacting their operations and what data they can’t. This requires them to look at which regulations they fall under, as certain industries have strict laws around data retention, and at what is critical from a business point of view. Losing a front-end webserver for example would no doubt be an inconvenience but is nothing compared to losing your financial information or personal identifiable information.

Making your data immutable comes with a cost and companies only have a finite amount of money to invest in cybersecurity so the question needs to be asked: are you best spending the best part of that budget on cyber insurance premiums, or would you be better off investing in strengthening your security posture with prevention and mitigation measures?

Starting off with a security and health assessment of your current backup environment would be a good first step towards making an informed decision regarding where to direct your limited funds. If you haven’t completed an assessment within the last 12 months, now is the time. So, rather than facing blown-up insurance costs, have a chat with our team about our backup health and security assessments.