Authored By Jeff Bathurst and Greg Tselikis | Technology Advisory
In the past, one of the common questions asked of cybersecurity insurance brokers was, “Can I get a discount on insurance if I implement this security control?” Most of the time, the answer was no. But whether or not you implemented a particular security control, you could still get insurance. Nevertheless, times are changing. Now you might not even be able to renew cybersecurity insurance without the proper security controls and standards in place.
Why Did Cybersecurity Insurance Policies Change?
The biggest reason for the change is the massive increase in cyberattacks over the last year. Check Point Research reported that from the middle of 2020 to the end of 2021, cyberattacks have been trending upward. At the end of the year, organizations tracked in the CPR study averaged over 925 cyber-attacks a week. That’s a 50% increase over the year before.
The losses resulting from cyberattacks are increasing as well. According to Gallagher, companies spent $590 million on ransomware payments in the first six months of 2021—far surpassing the $416 million spent on ransom in all of 2020.
The massive SolarWinds security breach and almost daily news of ransomware attacks not only drove home the importance of cybersecurity for every business but also made cybersecurity insurance providers take notice and review their policies. The increase in ransomware has shifted the focus from ensuring businesses have the correct preventive cybersecurity measures in place to auditing both prevention and disaster recovery. Additionally, the increase in all types of cyberattacks means tighter standards and more limited coverage.
Another change in the technical landscape that affects cyber insurance is the increase in cloud adoption. Companies are moving core systems and critical data from corporate data centers to offsite third-party providers. In many cases, this can improve security. But adopting cloud technologies requires organizations to have a deeper understanding of how to test and adapt their cybersecurity plans to the cloud environment.
What Do Cybersecurity Insurance Changes Mean for My Business?
These changes to the cyber insurance requirements mean that you and your IT team have to prepare before you renew. You must have the proper processes and systems in place to avoid application rejection. The good news is that most of these requirements will also reduce the attack surface of your systems and help prevent cyberattacks from affecting your business. Some of the new requirements include:
- Multi-factor authentication (MFA) across all your insured resources to mitigate any stolen credentials
- Ongoing testing of all your systems to ensure security is in place
- Cybersecurity awareness training for employees because they are the first line of defense against many cyberattacks, like phishing
- Air gapped backups of your data so that you can recover from a ransomware attack without paying the ransom
- VPNs for all remote desktop services, so connections to your IT infrastructure are always encrypted and secure
- Audits of third-party vendors to determine how much access they have to your systems and data
- Up-to-date endpoint detection and response (EDR) antivirus software is installed on all connected devices
But preparation doesn’t stop with the technical parts of the process. The requirements for insurance may not be the only factors that have been adjusted. It is essential to examine the insurance policy from several angles.
First, you should know what your policy covers and does not cover because policies are constantly changing. It may cover money lost in a hack but not social engineering attacks where an employee gets tricked into sending a hacker money.
Second, look at the coverage amounts. Being insured for a million dollars may seem plenty sufficient, but considering some of the recent newsworthy hacks, it may not be enough. It is important to understand the total organizational cost of a cyber breach and insure appropriately.
This type of review is something leaders will need to do a couple of times a year with the help of their cybersecurity team or an external resource to ensure they are always fully covered—especially since this is likely not the end of shifting insurance policy requirements and coverage changes. We can expect to see more in the future.
Need Help Navigating Your Cybersecurity Insurance Renewal?
Cybersecurity plans are no longer straightforward. The new complexity in insurance policies is there to protect your business, not make your job harder, but it may complicate matters in the short term. For best results, start your policy renewal process early.
Develop comprehensive submission materials that highlight your investments in cybersecurity and your improvements over the previous year by consulting with your insurance broker. Insurance is a necessary part of having a cybersecurity program. Planning for your renewal in advance may be the only way to guarantee you can get insurance at all.
Maybe you know you need to make changes but are not sure where to start. We’re here to help. Having a knowledgeable cybersecurity partner can be a valuable asset. An organization well versed in all things related to a comprehensive cybersecurity program can ensure you have proper counsel regarding policy coverage and what changes need to be made before you renew.