According to Cisco, “Cyber insurance is an insurance product designed to help businesses hedge against the potentially devastating effects of cybercrimes such as malware, ransomware, distributed denial-of-service (DDoS) attacks, or any other method used to compromise a network and sensitive data.” A lot has changed in the cyber insurance industry over the last couple of years, and while no one knows exactly what to expect, the following are four things to consider as you look to obtain or renew your cyber insurance policy.
Questions to Ask Your Broker
When was the last time you talked to your Broker about your policy and coverage? With all the changes that are happening with cyber insurance, be sure you are clear on what you’re getting and what is missing from your cyber insurance policy.
Here are a few questions to start the discussion with your broker or agent regarding your cyber insurance policy:
- What does my policy actually cover?
Make sure your policy covers all your bases. Some insurance plans cover a broad range of cyber risk losses, while some plans have additional coverage for physical damage to hardware or business income loss. You need to know what exactly is in your cyber insurance policy, what it will/will not cover before you commit to it.
- What are the exemptions in my policy?
Not every policy is written the same. There may be exemptions in a cyber insurance policy. So, as well as finding out what it does cover, find out what it does not cover! You should know this ahead of time, so you are prepared in case something does happen.
- Are there any gaps in my policy?
If you currently have a cyber insurance policy in place, you should review it with your agent. You will want to talk about any potential gaps in your coverage and the best way to address them.
- If the company experiences a cyber incident, how will it affect my premiums?
You’ve heard the expression, hope for the best, plan for the worst. Even the best controls can fail and if they do and a data breach occurs, you need to know what will happen to your policy and premiums.
Prepare for a More Complex Review Process
As cyber insurance offerings mature, the requirements are going to become more complex. Unless you are a very small organization, you need to make sure the relevant stakeholders are involved in the review process and on the same page regarding the language and ability to meet the requirements.
- Have you incorporated Legal, Risk Management, Security, and IT into the policy selection and review process?
- Do all relevant stakeholders understand the expectations for the organization?
- Do you understand the language used by your broker (e.g., EDR, IPS/IDS, SIEM) and do you, or your IT team, understand the technical depth that your broker expects you to have?
- Do you understand your current cybersecurity posture’s impact on your coverage limits and premiums? In many cases, immature security programs may disqualify an organization from coverage eligibility at all. On the converse, conducting a cyber risk assessment and putting a remediation plan in place may significantly lower premiums.
As requirements become more detailed, make sure they are clearly communicated to the key stakeholders and teams that implement and support them.
When cybersecurity insurance was first offered, the questions the carriers asked were a little too simple, such as, “do you have a firewall”, “do you have antivirus installed”, with a little checkbox next to the questions. They didn’t go on to ask if the firewall was installed AND properly configured in alignment with an industry accepted benchmark. I’ve heard many stories about cybersecurity insurance questionnaires over the past year. One company was told they needed a firewall, so they bought one. The problem was that was all they did. They didn’t install, configure, and tweak it, and when asked if they had a firewall, they said “yes we do, it’s right here sitting on the floor in the original box.” The lack of understanding a requirement and the intent behind it leads to all kinds of issues. If you need help shifting boardroom conversations and considerations around cybersecurity and insurance, read our blog Cybersecurity in the Boardroom to learn more.
Impacts of Cyber Threats
The FBI’s Internet Crime Complaint Center (IC3) annual report showed a 69 percent increase in the number of cybercrime reports it received in 2020 compared to 2019. On average, the FBI received 2,000 cybercrime reports per day in 2020. Due to all the data breaches, ransomware attacks, and supply chain hacks, cyber insurers are taking a beating. When insurance companies have to pay more claims than anticipated, they tend to look back to see how they can do things differently. Insurance companies are masters of statistics and actuarial tables, so for most ‘knowable’ scenarios, they can tell within a certain +/-% what the costs involved will be and the likelihood of claims resulting from that scenario; given the recent threat landscape, that’s not been the case for cybersecurity incidents and their associated claims. Insurance companies do not have a consistent way to know which threat actor or nation state is going to attack a company, how long it will last, how impactful it will be, and how long it will take to contain and remediate it. There are metrics for the cost of the breach, but those are calculated long after insurance has paid a claim.
Changes to Expect for Cyber Insurance Policies
What does this mean for you and your company? Well, whether you have an existing policy or not, here are some things that are happening or likely to happen soon:
- Expect it to be more challenging to maintain, and/or acquire, a cyber insurance policy.
- Capacity is shrinking, so you might not be able to get as much coverage as you want or what past companies have obtained.
- Expect premium increases to go up by double digit percentages (or higher)
- Expect to see questions around systems that were recently in the news because of a breach (e.g., Kaseya, SolarWinds, Microsoft Exchange, Citrix) or questions based on gaps identified in recent security incidents.
- Expect new requirements, sometimes called critical controls, to be specified, such as:
- Multi-factor authentication (MFA) is enabled:
- At all ingress points into the network (e.g., VPN, VDI, Citrix)
- In place for privileged/sensitive applications
- Service Accounts
- Disabled RDP, VNC and any other remote tools that are commonly used/abused in attacks, or expect to provide an explanation of the compensating controls around those tools.
- Segregated, or offline, backups that are regularly tested.
- A vulnerability management (patch management) process/program and a requirement that you demonstrate you consistently patch your environment
- Experienced, well-staffed IT management team
- Multi-factor authentication (MFA) is enabled:
- Prepare for the two worst-case scenarios:
- Your current cyber coverage provider exits the cyber insurance market
- Your current provider drops your cyber coverage.
To learn more about cyber insurance coverage changes, watch this webinar: The Cyber Risk Allocation Paradigm is Changing: Cyber Insurance’s Evolving Issues presented by Baker Donelson.
A Light at the End of the Tunnel
It’s a bleak picture, however, there is a silver lining. It is possible to get ahead of the game and avoid an 11th hour cyber insurance renewal headache. It’s time to be proactive. Years ago, there was a paradigm shift in the cybersecurity industry. Cybersecurity professionals used to say something like “When a compromise happens,” but that has evolved into “Assume you’ve been compromised.” A significant number of enterprises worldwide must have a paradigm shift regarding how they view cybersecurity in their company. It’s no longer a “nice to have” or “something to think about adding in”, it’s a necessity, and cyber insurance providers are now forcing the issue.
So how do you get ahead of it? You can start with a Risk Assessment to understand if there are any gaps in your organization’s security posture and practices that could expose it to unnecessary risk. This assessment is how LBMC Information Security commonly starts our client relationship, and it often results in cyber insurance premium savings that are greater than the cost of the assessment itself. Our team of cybersecurity professionals and our broad industry experience helps you uncover risks in your organization, which can help reduce the likelihood of either losing cyber insurance or not being able to acquire it, and can reduce your premium costs as well.
If you would like more information on cyber insurance or to discuss a risk assessment for your organization, contact us today.