Many small to medium-sized enterprises (SMEs), if they have not yet experienced the changes in cyber insurance, are in for a surprise. Whether you seek insurance for the first time or are renewing an existing policy, there will be changes. Cyber insurance concerns are growing. It’s a maturing of the new cyber insurance market and course correction to curb significant direct loss rates. “The price bumps helped the U.S. cyber insurance industry pare back its direct loss ratio, or the percentage of its income that it pays out to claimants, to 65.4% in 2021 from a record of 72.5% in 2020”, as reported in the Wall Street Journal. The reason behind these increases is the rise in cyberattacks, specifically ransomware, phishing, and social engineering attacks. In addition, pandemic and hybrid work changes brought about swift changes and challenges to business and data security.
Cyber insurance policies are complex. They can include several types of coverage that span first-party loss, first-party expenses, and third-party liability. First-party loss typically includes loss of revenue due to business interruption. These expenses would include the many services and resources needed to recover from an attack, such as forensic or system-rebuilding services. Third-party liability may cover expenses and legal fees related to the potential damage caused by the incident to third parties. This covers exposure if partners, customers, or even employees’ sensitive information has been compromised. It is best to consult with an expert to identify what level and type of insurance are applicable for your industry, size of business, and risk appetite to address your cyber insurance concerns.
These changes some refer to as the hardening of the cyber insurance industry. But it’s more that, as with any speculative business, you do not know what you do not know. With more data and cyber risk analysis each year, carriers get more insight into the risk signals and begin to align and right-size their business risk assumptions. SMEs should expect the following changes:
- Increasing premiums
- Higher deductibles
- Reduced coverage limits and potential sub-limits for things like ransomware
- Restrictive policy language like Act of War exclusions
It used to be easier to quickly apply for a policy, provide business details, and submit the answers to a security questionnaire. Today, the process hasn’t changed, but the scrutiny has. Policy underwriters now have deep security expertise in reviewing the risk and details of each applicant and their assessments. This adds time to the process; it’s now recommended to work at least 90 days before renewal to ensure continuous coverage. Compared to previous years, SMEs are paying more and now getting less.
In addition, there is a new consideration of whether even to file a claim or absorb smaller losses because of the higher deductibles. Cyber insurance now acts as a catastrophic policy to cover when the loss approaches the policy limit. With such scrutiny across the board, good luck renewing a policy when a claim is filed.
Basic Cyber Hygiene
Today, a concern we hear from prospects is that they need to meet the requirements for their cybersecurity insurance. While this is unique to each company, certain basic cyber hygiene elements are frequently cited in insurance carrier questionnaires. Prove to insurers that you’re serious about lowering your risk and theirs with these basics:
Endpoint Detection and Response (EDR)
EDR is the answer to the typical question, ‘is continuous monitoring in place to detect unusual remote connections, applications, or account/endpoint behavior? Mitigating against malware, ransomware, and unusual commands.
Multi-factor Authentication (MFA)
No getting around the basics of needing MFA. It is probably the first question asked. This provides a significant risk reduction for compromised or stolen credentials. Even if an adversary lands within your environment, having MFA will thwart their ability to move or access other resources laterally.
Vulnerability scanning provides insight into understanding your vulnerability risk exposure, which is also a cyber insurance concern. Organizations have to inventory the attack weaknesses across their environment and show prioritized remediation.
Third-party penetration testing
The most sensible question is, have you performed third-party penetration testing regularly? This will provide findings on the implementation of the security controls in your organization and their effectiveness against a cyber attacker.
Detection and Resilience Engineering
Cyber insurance underwriters are focusing more and more on an organization’s resilience. The most common definition is the ability of an enterprise to limit the impact of security incidents and survive. Going beyond security hygiene, insurance carriers are ultimately concerned about an organization’s ability to continue after a potential security incident financially and operationally.
The effects of a cyber-attack go beyond the direct financial consequences to include the cost of notification, decrease in positive brand reputation, loss of customers, difficulty in attracting new customers, fines, and loss of business partnerships.
One-in-five firms attacked say their solvency was threatened, an increase of 24% from 2021
Hiscox, Cyber Readiness Report 2022
This all plays into the current cyber insurance concerns for both carriers and organizations. We expect to see continued maturity in this field and more pressure on SME organizations to increase their ability to detect and respond to threats faster. Basic hygiene is an excellent way to filter out organizations that have under-invested.
Here are some additional recommendations to consider now that cyber insurance is too expensive to use as a general safeguard.
- Implement a security framework, NIST CSF is a good starting point. Followed by
- Ensure you have security operations 24x7x365, responding to security events within minutes
- Enable multi-signal threat detection where EDR, firewall, and log data are all used for threat hunting
- Be able to access security experts who have experience in responding to security incidents and can take swift action
- Implement external and internal penetration testing to validate security controls and minimal lateral movement if an attacker were to establish a position within the organization
Insurance premiums work the same, even across industries. A driver might get a discount for advanced vehicle safety ratings and a good driving record. More personalized discounts can be had when real-time data about a driver and their actions behind the wheel of a vehicle can be captured and analyzed. There have been stories where a company was denied cyber coverage because of a simple external scan of their business. Not quite real-time, but enough to have the carrier disengage because of the risk they perceived. Getting cyber insurance is becoming more competitive, especially to obtain reasonable rates.
You can potentially lessen your premium increases by identifying cybersecurity as a strategic move for your business. Going beyond cyber insurance cost concerns, faster threat detection, and cyber resilience is something organizations need to do to counter the growing risk and cost of attacks:
- Businesses with 250 to 999 employees saw their average number of attacks rise from 45 to 69 in 2021
- Companies with revenues of $100,000 to $500.000 can now expect as many cyber attacks as those earning $1M to $9M annually.
- Median attack costs rose, as a percentage of revenue, are 2.5x higher for firms ranked as cyber novices.
(Hiscox Cyber Readiness Report 2022).
We can’t help you directly with cyber insurance. However, we provide managed security and compliance services that quickly get small to medium-sized businesses to new levels of security maturity as needed for their industry. Our clients achieve better security outcomes within a budget and grow their cyber resiliency.