Over the past two years cybersecurity threats from data breaches, ransomware, and phishing attacks have been front of mind for many organizations. As the attacks increase, managing the threat has become significantly more expensive. This trend is expected to continue for the foreseeable future.
Organizations of all types are a target regardless of industry, size, or name brand reputation, and many — including those with mature cybersecurity programs — are reducing their financial risk through cyber insurance. The new challenge they face is staying ahead of changes in premiums and coverage.
The changing cybersecurity insurance landscape
As cybersecurity threats increase dramatically, so too are cyber insurance premiums. In some recent cases, we’ve seen that premiums have doubled. If that’s not enough, many insurance companies are expanding their minimum cybersecurity baseline requirements beyond general “best practices” to a higher level of maturity seen historically in only regulated industries. Organizations are also facing challenges with coverage levels that are increasingly being tailored to specific cyber incidents. For example, many insurers now limit coverage for incidents such as wire transfer fraud to a much lower amount than the general coverage offered in the past.
Evolving standards for coverage
Executives need to know the requirements of their cyber liability insurance policies and ensure their organization’s information security and incident response procedures meet these standards. Insurance companies generally prefer strong control programs around information security.
Tools and resources such as security awareness training, response teams, and monitoring tools may be preferred or even required. Cybersecurity assessments or third-party examinations may also be required to better help evaluate the cyber maturity of an organization in order to determine premium costs or discounts.
Specifics such as what’s considered a security incident or breach and how quickly the carrier must be notified are extremely important. They should be identified and communicated in information security policies and response procedures to ensure coverage in the event of an incident. Every cyber insurance policy will have definitions of “incident” or “breach” within the policy language that’s unique to the carrier. Once an organization identifies a potential security incident meeting one of those definitions, it must implement the necessary appropriate notification procedures. Many Insurance companies have their own investigation procedures, and failure to notify and follow their contracted processes may lead to denial of claim coverage.
How can I reduce my premium?
At a minimum, insurers are looking for organizations to take these steps:
- User authentication: Implement multifactor authentication on all access points to the network, including all devices, email, etc.
- Network access: Limit privileged user access to critical systems to authorized personnel who require access based on job role, and review at least quarterly to ensure access is appropriate.
- Testing and awareness training: Conduct monthly phishing tests and annual security awareness training to ensure staff understand how to appropriately identify and respond to security threats.
- Vulnerability scanning: Conduct monthly vulnerability scanning to ensure threats don’t exist on the network and are mitigated as they arise.
- Incident planning: Ensure incident response and business continuity plans include adequate procedures for reporting security incidents and opening claims to the carrier. When considering a claim, it’s important to understand the severity of an event and differentiate between minor events and potentially reportable incidents. Is the incident the equivalent of a “scratched bumper” or is it a major “rear-end accident?” Some insurers have increasingly strict requirements depending on the organization and types of data being secured.
Managing cybersecurity risk continues to evolve and what previously was thought of as an IT issue has expanded into an enterprise-wide concern. With the cyber insurance industry facing increasing payouts, premiums are going up and underwriting standards are becoming more onerous. Insurer scrutiny on cybersecurity programs continues to increase, potentially making it more difficult to get a new policy or renew an existing one. A stronger, more mature cybersecurity program is the key to lower premiums and better coverage.
Don’t wait to understand your cybersecurity maturity. To help understand what you can do to reduce risk and lower your premiums, give us a call.