Understanding the Changing Landscape of Cyber Insurance for Mid-Sized Businesses
The cyber insurance industry has witnessed significant changes in 2023, reflecting the dynamic nature of cyber risks and the evolving strategies of insurers. Mid-sized businesses, now more than ever, need to stay abreast of these developments to ensure adequate protection in the digital age. While high-profile attacks on enterprises often make big headlines, SMBs are also being attacked regularly. TechTarget maintains a running list of publicly disclosed ransomware attacks each month. Sometimes simply reading through the names and browsing the frequency of attacks can serve as a reality check to ensure you are protected and prepared.
2023 has seen a dual advancement in the sophistication of cyberattacks and the corresponding response from insurers. However, there is a silver lining – the cyber insurance market is showing signs of stabilization. This shift comes as a relief to businesses grappling with the complexities of digital threats and insurance dynamics.
Underwriting Changes and Challenges:
Insurers are increasingly adopting ‘inside-out’ underwriting approaches, leveraging third-party scanning technologies to identify vulnerabilities in systems, and following up to ensure gaps are filled. Ransomware and social engineering fraud, often exacerbated by hybrid work models, have also become more prevalent, calling for a reevaluation of coverage policies. Additionally, changing cyber regulations across the US are reshaping the insurance landscape.
- Stricter Compliance Requirements: New and evolving state and federal regulations are imposing stricter compliance requirements on businesses. For instance, the California Consumer Privacy Act (CCPA) and the New York SHIELD Act mandate specific data protection and privacy measures. Companies must now ensure that their cybersecurity practices comply with these regulations, which can influence the type and scope of cyber insurance they need.
- Increased Financial Penalties for Non-Compliance: Regulations like the General Data Protection Regulation (GDPR) in Europe, which also affect U.S. companies dealing with EU citizens’ data, and similar state-level laws in the U.S., impose hefty fines for non-compliance. This increases the financial stakes for businesses, prompting a need for insurance policies that can cover these potential regulatory fines.
- Mandatory Breach Notifications: Laws requiring mandatory reporting of data breaches, like the Health Insurance Portability and Accountability Act (HIPAA) for healthcare information, force businesses to promptly disclose breaches. This increases the potential for reputational damage and litigation, driving demand for insurance policies that cover these risks.
- Coverage for Regulatory Investigations and Actions: As regulatory scrutiny intensifies, businesses seek cyber insurance policies that cover the costs associated with regulatory investigations and actions. This includes legal fees, settlement costs, and any penalties imposed.
- Influence on Underwriting Criteria: Insurers are adapting their underwriting criteria to align with these regulations. They are more likely to offer favorable terms to businesses that demonstrate compliance with relevant cybersecurity regulations and standards, as this indicates a lower risk profile.
- Cyber Risk Assessments and Audits: Regulations often require businesses to conduct regular cyber risk assessments and audits. Insurance providers may use these assessments to determine policy premiums and coverage limits, and in some cases, might even require them for policy renewal or issuance.
- War and Nation-State Exclusions: With the rise of cyberattacks attributed to nation-states, some regulations, such as prohibitions on paying ransoms to sanctioned entities, are influencing cyber insurance policies. Insurers are increasingly adding exclusions for such incidents, impacting coverage availability.
- Sector-Specific Regulations: Certain industries, like finance and healthcare, face specific regulatory requirements (e.g., GLBA for financial institutions, HIPAA for healthcare entities). Compliance with these regulations affects the type of cyber insurance coverage these businesses need.
The market’s evolution underscores that cyber insurance can’t be the sole line of defense. It’s crucial for businesses to engage in comprehensive risk management, including partnering with third-party security providers to pinpoint and mitigate vulnerabilities.
Emerging Risks and Considerations:
The intersection of cyber defense with AI and ML technologies presents new challenges and risks. The Russia-Ukraine conflict has also raised questions about war exclusions in cyber policies, especially concerning nation-state cyberattacks.
For mid-sized businesses, adopting robust security measures, such as multifactor authentication, encrypted backups, and unified security is critical. Regular cyber security training and a well-structured incident response plan are also vital in mitigating risks.
Applying for cyber insurance has become more complex, requiring detailed information about IT systems and security controls. Businesses are facing higher deductibles and restrictions on coverage, particularly for systemic risks and technology errors and omissions.
The recent cyber insurance landscape has presented both challenges and opportunities for mid-sized businesses. Understanding these developments is key to securing adequate coverage and fortifying digital defenses. It is likely insurers will continue to place even more emphasis on proactive risk management practices by insured companies. This could involve mandating certain cybersecurity measures or offering incentives for businesses that implement advanced security protocols. If you are considering adding cyber insurance coverage, we can help you take the steps to qualify. Or if you already have a policy, we can review your current security posture to see if there are discounts or incentives available while also strengthening your resiliency as the insurance market continues to evolve. Contact us to learn more.