Change Healthcare went without cyber insurance before debilitating ransomware attack
Additionally, security awareness training is hugely important. “People remain the biggest vulnerability, so insurers look for evidence that employees are regularly educated on cyber threats like phishing and social engineering,” Indah added.
When deciding on cyber insurance, an organization’s risk tolerance is key. In UnitedHealth’s case, not having insurance for its Change Healthcare division left it exposed financially and reputationally, said Michael Adjei, director of systems engineering, EMEA, at security vendor Illumio.
“It’s important that organizations don’t view cyber insurance as a way of transferring risk but see it as an extra layer should the unexpected happen,” said Adjei. “In reality, businesses will need to put in place and demonstrate that they meet cyber-insurance requirements at least six months in advance of asking for cover, much like we provide financial information ahead of obtaining a mortgage.”