Changes To Cyber Insurance Mean Adjusting Your Approach to Managing Risk

This isn’t news… cyber attacks are becoming more than just an occasional threat. The frequency of attacks is increasing, with many of them leading to major data breaches. You no longer need to go back months to find large-scale attacks being reported. This year saw waves of attacks that affected hospital care, stalled America’s biggest gasoline pipeline, brought a huge meat supplier to its knees and devastated hundreds of managed service providers. These breaches cost companies millions of dollars in revenue, lost reputation and legal damages. Because of this, insurers are rethinking their coverage and addressing the shared responsibility model so they are enabled to properly assume these risks and hold policyholders appropriately accountable.

Insurers taking a closer look at how they will cover for cyber threats

In light of the increase in ransomware and other successful data breaches and attacks, it is not surprising that insurers are taking a hard look at whether or not they should be liable for damages. This is particulary true in cases where there is no physical damage to be covered by traditional insurance policies and less than adequate cyber defenses are put in place by policy holders. There is still a lot of uncertainty with what the future holds for those who were victims to hackers but experts say it’s only a matter of time before we see changes in how cyber insurance works. Insurers are considering all possible ways that hackers may use cyber attacks to develop better underwriting standards for policies that can protect enterprises and their intellectual property from these attacks. A new change in underwriting will also come to the policy holder as there will be requirements to “beef up their own cyber defenses” and protection solutions according to Tom Reagan, Marsh McLennan’s head of U.S. cyber practice. Cybersecurity insurance is at an inflection point but it is on pace to be a $3 billion industry. With this much money at stake, insurers will surely put in place tighter coverage standards and increase prices. Therefore, it is paramount that policyholders increase not only their cybersecurity solutions along the industry standards but, also, increase their awareness to this new and persisting threat.

Policyholders must have discussions with their insurance providers

Gartner has reported that “Cybersecurity insurance is entirely a reactive product. It will not prevent a cybersecurity breach or immediately reduce the impact on the delivery of services to your end users. Therefore, you must continue to invest in your security program alongside your cybersecurity insurance considerations.” Given the reactive nature for these new insurance offerings the policyholder needs to make sure they are compliant. This means companies and individuals need to follow compliance frameworks like CIS, NIST CSF or ISO 27001. Adhering to these standards can ensure that your company has proper processes and standards in place to address the overall risk. These industry standard frameworks are designed to be easy for any organization of any size or level of security risk to adopt. The framework is not a rigid “checklist” – it is a tool that will help organizations identify and prioritize actions within their cybersecurity strategy based on the organization’s risk profile and industry. Together, with a properly executed insurance policy, you are protected as best as you can be in the event of an attack.

Tips for self-auditing and engaging your cyber insurance organization

You can use the below questions to self-audit and assess your cyber risk.  This will help you to understand what your risk tolerance is and to make decisions for the amount of coverage required or risk to be transferred.

1. Can you quantify the maturity of the security at your organization?
2. Is your company prepared for an attack?
3. How much will it cost to improve the security?
4. What are the consequences if you don’t act?
5. What is the likelihood of an attack happening in the next year or two?

Companies are increasingly relying on cybersecurity insurance to help transfer their risk , once determined, that comes with such attacks. But the policy holder must be proactive in planning their defense when preparing to take on a cybersecurity insurance policy. Once you have answered the questions above and have properly assessed your cyber risk tolerance, insurers will look to have an answer for these five crucial questions:

1. What are you doing to protect your data?
2. What is the probability that your company will be hacked?
3. What are the consequences if you are hacked?
4. Do you have a business continuity plan in place?
5. How far back does your company’s data go and how much of it is important?

Preparing your organization to answer these questions and having a candid conversation with your insurer can help you ensure that you’re meeting your policy’s requirements. By having these candid conversations, you can show your willingness to participate in the shared responsibility model and own those controls that must be put in place according to your chosen framework.  Any discrepancies can be communicated, and a plan developed, to ensure that progress is made to become compliant with your policy and framework. Bottom line is that changes are coming to cyber insurance coverage.  Taking the time today to be proactive in how you assess and manage your risk, develop your internal security program maturity, and prepare for the worst will put you in a position to get the most out of your cyber insurance investment.   Steve Sims VP, Security & CISO Green Cloud Defense