Cyber insurance premiums skyrocketed with the evolving cyber-threat landscape. What can companies do before signing up for a policy?
The cyber-threat landscape is changing radically. Unfortunately, cyber-attacks from nation-states and other bad actors have broken the cyber insurance risk models because it’s become easy for an attacker to steal credentials and work from the inside.
Cybercriminals use simple technology but can cause serious business and reputational damage caused through days of downtime. Such developments have far-reaching implications across the entire insurance industry, from the insurers to the brokers, to the insured themselves.
Due to a heightened risk caused by numerous recent attacks, cyber insurance premiums have skyrocketed, going up by 150%-300% in some cases. So, it’s no surprise that this increased-threat environment has inspired a quick uptick in cyber insurance interest as firms either consider signing up for the first time or seek to increase liability coverage.
What can companies do as their “homework” before they approach cyber insurance providers? How do they put themselves in the best position to negotiate reasonable premiums on a policy that will pay out if the worst happens?
It is worthwhile going through this checklist first before investing in a policy:
1. What minimum-security requirements does the insurer need you to meet?
Most quotes for cyber insurance will come with a cyber risk vulnerability report. It will be billed as a report beneficial to assessing the risk, but of course, it’s in the insurer’s interest to find any glaring weak links in an organisation’s armour.
You can be sure that simple password authentication isn’t going to be enough to meet cyber insurers’ minimum requirements because the risk is too high for them. In the past, a signed attestation from the company’s CISO that minimum standards were in place was sufficient, but now for high-liability or high-risk policies, some insurance firms may need proper due diligence to go any further.
So before asking for a cyber insurance quote, it makes sense for companies to make sure they perform their own internal reviews first to ensure everything is up to scratch.
2. How fast can organizations implement more robust authentication?
If cyber insurance is something an organisation needs immediately, it may not have the time to wait for a full cycle of security upgrades. It’s worth asking what security practices, hardware-based authentication or increased employee training they can do today to make their security profile more attractive to cyber insurers?
3. Has the pandemic weakened a company’s security profile because more people are logging in from home?
Many companies’ pre-pandemic focused security efforts had the office locations set as the boundaries. But as so many remote workers now either work permanently remotely or in a hybrid manner, tightening the organisation’s grip on security has become more complicated.
There is more risk because there are a larger number of attack vectors, and cyber insurers are acutely aware of this. It is not enough to just focus on firewalls, web proxies and data protection – today robust MFA for those who are logging in remotely must be part of the picture. Attackers aren’t breaking in, they’re logging in and compromising credentials, which makes raising the security bar for user authentication beyond passwords imperative.
4. Will you receive a payout from your policy when something bad happens?
This is a legal question and still developing. Staying up to date with court cases that lay down precedent on these issues is key. It’s no secret that insurance companies stay in business by NOT paying out when they don’t have to or by keeping their payouts low. Therefore, it is important to document all downtime and losses carefully from the first day of a breach or other incident.
Some good news is a recent ruling on a US$1.4 billion attack on the global pharmaceutical company, Merck that came from Russia. Even though the attack was pointed at Ukraine in 2017 (a grim reminder of the physical invasion to come), the court ruled that it was not an “act of war or terrorism,” and therefore a payout could not be excluded.
Insurance companies will try to limit their losses by breaking up covered items into categories. For example, losses due to downtime, hardware and systems replacement, ransomware payout and identity protection for affected customers may have been covered in a single bundle before, but today they are likely to be itemised. That makes policies more complex, requiring brokers to shop around for reinsurers to spread the risk.
5. Has a full cybersecurity review been conducted recently? If not, how do we do it?
Risk assessments should be carried out on a standard schedule and they should include both internal and external threats. It can start with a comprehensive review of user access, which Identity Access Management (IAM) system an organisation is currently using and what kind of anti-phishing user education they have employed or plan to employ. A review should look closely at privileged users, critical staff and admins, but it should not exclude any users. The safest end goal will be to at least start on a path toward strong MFA authentication for all users.
6. Is the cyber policy specific about what is covered and what will be paid out?
Boilerplate policies are never good because each firm will have specific threat vectors and most likely scenarios for how an attack would happen. Businesses taking out a cyber policy should make sure there are enough specific references to the organisation’s vulnerabilities and that they are satisfied with how third-party liability is considered. In general, the more specific it is in terms of what falls under covered attacks, the better. Note: This is when having a proper legal advisor preferably with cyber insurance experience would help, what we say here shouldn’t be taken as legal advice to follow.
These six questions are only a starting point for cyber insurance research, but it’s a good foundation to consider how to get the best deal on premiums and the most comprehensive protection for the years ahead.