Cyber Insurance Readiness: Managing Your Risk

Cybersecurity insurance policies were profitable at one time, but losses on these policies are steadily increasing for insurance companies.  Lloyds of London recently made an announcement that speculates the future of cybersecurity insurance.  The company announced last November that the current model for cyber insurance is no longer sustainable and as a result, it was discouraging its syndicate from taking new cyber business in 2022.

What Does Cyber Insurance Include?

Policies typical cover the following costs:

• Forensic analysis to identify the attack source

• Costs to regain access or restore your data from backups or other sources

• Notification of clients and/or regulatory bodies

• Credit monitoring services for affected individuals

• Ransomware demands and specialists to manage ransom negotiations

• Legal costs and public relation services

• Depending on the type of incident, the insurance company may provide experts to assist in dealing with the situation at hand to advise the client and identify ways to lower the cost of restoration.

Rising Costs and Rising Demands

In 2021 these prices continued to grow.  The average premium increased 25.5% during the second quarter of 2021 according to a survey from the Council of Insurance Agents & Brokers (CIAB).  This is on top of an increase of 17% in the first quarter of the year.  It is estimated that cyber insurance prices are increasing 50% year over year and that companies should expect that trend to continue going forward.

Rising Costs Bring Mounting Losses

Increased attacks = Increased claims.  The most popular claims involve email phishing and ransomware.  In 2020, the total amount of ransom paid by victims was nearly $350 million, CNBC reported an increase of 311% over the previous year.  However, the ransom represents a portion of the actual cost to the breached organization.  The average cost of remediation rose to $1.85 million in 2021 compared to $700,000 in 2020. 

Frequent ransomware claims along with their burgeoning payouts is what is driving the insurance companies' losses.  According to an S&P Global report, loss ratios increased for the third consecutive year in 2020.  Techtarget reviewed these costs over time:

• 2016: 43 cents of every dollar paid in cyber insurance premiums was spent paying insurance claims or related costs.

• Before 2019: The loss ratio never went over 48 cents.

• 2020: It skyrocketed to 73 cents 

What Can Policyholders Do?

Cindy Kaplan, Director at HALOCK Security Labs indicates insurance companies are requiring controls from their policyholders concerning their security practices.  "Insurance companies are looking at your risk posture, they need to know if their clients or potential clients are prepared for a cyberattack. It's an essential process to continually assess risk so that businesses can proactively identify threats, contain them, and remediate cyberattacks." Insurance companies are incentivizing good cybersecurity strategies from their clients.  For instance, policy renewals for some companies are being predicated on the enablement of multifactor authentication (MFA) for remote access.  MFA is one of the most popular requirements of insurance companies.  

HALOCK Senior Partner, Terry Kurzynski spoke at the Midwest Cyber Security Alliance (MCSA) presenting "Cyber Insurance Readiness: Preparing for Your Next Renewal". Terry identified key areas to strengthen when getting ready for the underwriting process. Key areas he suggested include:

• Multi-Factor Authorization (MFA)

• Backup Program & Data Management

• Implement Principle of Least Privilege (PoLP)

• Data Minimization Program

• Prompt Application of Patches

• Endpoint Detection and Response (EDR)

• Email Security and Configuration

• Mobile Device Management (MDM)

• Routine Cyber Training

• Policies and Procedures Documentation

• Incident Response Plan (IRP)

• Penetration Testing & Vulnerability Scanning

• Compliance - HIPAA, PCI DSS, CCPA

• Third-Party Vendor Risk

• Web Application Firewalls (WAF)

• Duty of Care Risk Analysis (DoCRA)

Insurance companies conduct cyber history reviews. Insurance companies explore a potential client's frequency of reported incidents and learn how a company dealt with prior attacks.  Some insurance companies are working with clients to strengthen their existing risk management strategies in order to reduce their risk factors.  A key approach when it comes to insurance is ensuring clients have done their due diligence or their 'duty of care'. Practicing duty of care shows interested parties, such as customers, litigators, and regulators that a breached company was practicing 'reasonable security' as required by law. Duty of Care Risk Analysis (DoCRA) provides the methodology in which an organization builds a security program by assessing its risk, the likelihood of that risk, the harm that risk could cause, and the controls put in place to protect against it.  By collaborating through DoCRA, premiums are reduced for the client while minimizing risk exposure for the insurer and protecting others from harm.

Understanding the requirements for your specific security and risk profile is important for getting proper coverage. Review your business environment and establish reasonable security for your network. Start the process for effective cybersecurity and insurance with these top considerations when pursuing cyber insurance.

ABOUT HALOCK

HALOCK is a U.S.-based information security and risk management consultancy that is privately owned and operated out of its headquarters in Schaumburg, Illinois. From mid-sized to the Fortune 100, our clients span a variety of industries including financial services, healthcare, legal, manufacturing, supply chains, education, energy, SaaS/cloud, enterprise retail and many others. As principal authors of CIS Risk Assessment Method (RAM) and board members of The Duty of Care Risk Analysis (DoCRA) Council, HALOCK offers the unique insight to help organizations define their acceptable level of risk and establish "duty of care" for cybersecurity. Through this risk assessment method, businesses can evaluate cyber risk that is clear to legal authorities, regulators, executives, lay people, and security practitioners. Services: Security Management, CIS RAM and DoCRA Risk Assessments, Compliance Validation, Pen Testing, Third-Party Risk Management, Workforce, ISO 27001, Incident Response, Security Engineering.