How to Qualify for Cyber Insurance During Heightened Scrutiny
The rapidly growing cyber insurance market was worth an estimated $7.8bn in 2020 and is projected to reach $20bn by 2025. The rise of cybersecurity incidents and ransomware attacks is driving businesses to reach for financial protection; however, the rise in demand is also driving an increase in premiums that may keep many out of the market.
Cyber insurance is insurance intended to help organizations recover financially after an attack. The specialty insurance extends coverage for data breaches and ransomware which are not covered under most general liability policies. Cyber insurance policies specifically define the risks and vulnerabilities of the current threat landscape to ensure financial protection.
Cyber insurance premiums have already increased 28% in the first quarter of 2022 over the prior quarter according to the Council of Insurance Agents & Brokers (CIAB). The increase is due to the dramatic rise in insurable events and also due to insurers re-rating risk. Carriers are expressing a reduced desire to underwrite cyber policies due to the recent increase in risks. And to further protect themselves, insurers are explicitly removing cyber coverage from commercial property and casualty policies and tightening policy terms and conditions to reduce exposure and unexpected losses from attacks.
The latest cybersecurity policies are also excluding organizations that don’t have strict security implementations in place. Insurers are becoming more demanding of cyber hygiene across policyholders and requiring multi-factor authentication (MFA), automatic software updates, and even regular employee training. If the trend of higher premiums and increased scrutiny over security policies continue, many organizations will be left uninsured. According to Dan Garcia-Diaz, managing director of the U.S. Government Accounting Office (GAO).“It’s possible that attacked entities — which could include critical services such as hospitals, financial services, and energy services — would suffer such large losses as to not be able to continue operating without cyber insurance,”
The increased scrutiny and cost of policies could leave many small businesses without coverage. This is especially risky as small organizations are more likely to suffer from attacks because they often already lack the budget to implement effective cybersecurity strategies. Large organizations are more likely to be targeted in attacks because of generally more valuable data and are more able to pay the ransom but large organizations also often have excellent security implementations and qualify for cyber insurance. According to Accenture’s Cost of Cybercrime Study, 43% of cyber-attacks are aimed at small businesses, but only 14% are prepared to defend themselves.
The costs associated with a cyberattack and covered in various cyber insurance policies extend far beyond what many may expect. Recovering from a ransomware attack cost businesses $1.85 million on average in 2021. Once an organization understands the true risks posed by an attack, they take cyber coverage more seriously. It’s easy to assume an attack may interrupt business for weeks or months leading to losses, but those costs are just the beginning. Costs from an attack can extend into the forensic investigation, extortion, and reputation, as well as business interruption, theft, and fraud associated with data loss.
Cyber incidents are the greatest risk identified in the Allianz Risk Barometer for only the second time in the survey’s history (44% of responses). Below are guidelines on how to ensure your organization is more insurable.
MANAGEMENT
- Do you have the budget to cover implementation costs and policy coverage?
- Do you have an attestation document?
- Have you identified the type of insurance that fits your business?
- Are you educating your staff about cybersecurity best practices?
- Have you identified key vulnerabilities your business is exposed to?
- Are you complying with regulations such as GDPR, HIPAA, and PCI DSS if they apply to your business?
IT OPERATIONS
- Do you have internal IT staff or service providers managing security?
- Are you performing security tests?
- Do all computers have antivirus software?
- Are you scheduling system backups regularly?
- Are you documenting known issues or risks?
SECURITY CONTROLS
- Is MFA required to ensure secure email access?
- Is MFA required for all remote access to your company’s network? Are you protecting remote and internal access to infrastructure components (routers, firewalls)?
- Are you protecting internal and remote access to your company’s endpoints and servers?
If you are looking to tighten up your security profile to avoid the next attack or qualify for cybersecurity insurance, contact us, we are here to help.