By: Tom Skoog, Cybersecurity and Data Management Practice Leader
Over the last 12 months, many companies renewing their cyber insurance coverage received quotes with significantly increased rates and severely reduced coverage limits. Why? Let’s start with the history of why it was created in the first place.
History of Cyber Insurance
The cyber market started in the late 1990s when few companies thought about this coverage. The underwriting was detailed, and the market was mostly limited to technology-focused businesses. Beginning in 2010, more and more carriers were entering the market and the supply far exceeded the demand. The underwriting process went from detailed to “quick and easy”. This held until last year.
Beginning in 2021, because of the significant increase in ransomware payments, the demand for this coverage increased dramatically and the supply has begun to tighten. There is now a tidal wave of applications for cyber insurance and the carriers have begun to become more selective in their underwriting.
What Companies are Experiencing Today
Rate: The first and most obvious impact to companies is the increase in rates. Per Epic Brokers in Chicago, the average rate increase has been 50% when you factor across all industries and sizes of companies. Smaller companies who are demonstrating good cyber controls as part of the underwriting process are seeing rate increases of 30% – 40%. However, entities considered the highest risk, such as hospitals and law firms, are looking at up to 300% increases, if they can even get underwritten. At least two carriers have stopped writing policies for law firms. Also, the days of reducing rates because of “good cyber practices” are over. Good cyber controls are the expected baseline. More on these controls are below.
Retention/Deductibles: The second impact to businesses is the increases in retentions and deductibles. Insurance retention means that you, as an insured company, will be responsible for paying claims against you up to a certain dollar amount. For claims beyond that amount, the carrier pays the remainder. Underwriters are using retentions and deductibles as a way of spreading or sharing the risk with the insured.
Reducing Limits: Today, most markets will only offer a maximum limit of $5,000,000 on a primary layer of insurance. Companies that have a primary layer of $10,000,000 may need to restructure that limit or adjust their entire insurance tower into layers of $5,000,000.
In addition to these forces that are directly impacting companies, the market is shrinking with some carriers exiting completely. Today, carriers are re-evaluating and re-adjusting their appetite in multiple ways. They’re adding more industries they consider “high risk” including industries that are part of the “critical infrastructure” (manufacturing, energy, telecom, healthcare).
Baseline Controls Expected in the Cyber Insurance Application Process
The underwriting process has become quite prescriptive in terms of what carriers expect to see as minimum baselines in a company’s cybersecurity program. There are several expected controls to be implemented that include the following:
- Multi-Factor Authentication (MFA): MFA is a means by which people who are signing onto their systems provide two factors to authenticate themselves. This is usually a password and a code sent to a physical device such as your phone. Carriers expect companies to be using MFA for privileged access (your system administrators), remote access into your network, and remote cloud-based applications such as Office365.
- Strong Passwords: Password rules should be in place and enforced on all systems requiring a minimum of 8 – 10 characters, upper/lower case and numeric or special characters. Passwords should be changed every 60 – 90 days and a history maintained so they cannot be re-used for a period of time.
- Data Backups: Companies need to be backing up their data less than quarterly (but should be striving for daily/nightly). In addition to the frequency of backups, backups need to be stored in more than one location and one of those locations should not be on the network (or segmented from the main network.
- Limit Administrative Access: Privileged access (administrator) on workstations and in applications should be limited to IT personnel.
- Security Awareness and Training: Companies are expected to be providing formal cybersecurity training to their employees at least annually. Additionally, carriers would like to see the effectiveness of the training be tested by running internal phishing campaigns to identify employees who may require additional training.
- Anti-Virus/Malware Tools: This software is expected to be installed on every device on your network. This also needs to be maintained up to date on a regular basis.
- Sender Policy Framework (SPF): The Sender Policy Framework (SPF) is an email-authentication technique used to prevent spammers from sending messages on behalf of your domain. With SPF, companies can publish authorized mail servers. This gives you, as an email sender, the ability to specify which email servers are permitted to send an email on behalf of your domain.
- Endpoint Detection and Response (EDR): EDR is an integrated endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities.
- 24/7 Security Operations Center (SOC): A Security Operations Center, or SOC, is a group of people who are responsible for monitoring the security events on a companies’ network. In very large organizations, this may be staffed in-house. This, however, is an expense most small and medium-sized companies cannot absorb. Also, it is not reasonable to expect your internal IT staff to fill this role as they most likely don’t have the appropriate skill set. Most entities outsource this to a company that provides these services.
- Security Information/Event Management (SIEM) Platform: This is a software tool that automates the collection of the various security logs from servers, workstations, firewalls, etc. and has alerting capabilities to inform the Security Operations Center of high-risk incidents that have occurred.
While the carriers have not gotten to a point of sending auditors to validate the control assertions made by their clients, they are, in some cases, asking company owners or CEOs to sign affidavits attesting to the controls being in place. In one case, a PE firm that experienced a ransomware attack had asserted they were utilizing multi-factor authentication however, they weren’t, and their claim was not paid. If you are not truthful on your application pertaining to the controls in place, you should consider yourself uninsured.
What Can be Done to Reduce Cyber Insurance Rates?
In short, not much. There is a screaming demand for cyber coverage at higher coverage limits and the carriers are beginning to retreat or pull back. However, besides the industry that you operate in, one of the drivers of rates is the number of unique personal records (either financial or health) that an entity maintains. Companies that can purge older records in their databases of files have an opportunity to reduce their cyber insurance rates.
If you feel you have controls in place that are not listed here but achieve the same control objectives, it is strongly recommended you have a conversation with the underwriters at your carriers to describe to them, in detail, the controls you have in place. This has gone a long way in getting underwriters to accept the alternative controls and complete the application process.
It is important that you are transparent in filling out your cyber application. There is concern among several brokers that smaller organizations are not being completely truthful about their controls in place to obtain coverage. In short, if the control is not in place that was asserted and you experience a breach, you should consider yourself uninsured.
Blue & Co. can help you evaluate your cybersecurity risk strategy and point out practical and pragmatic solutions to better controls your data. Please reach out to our Cybersecurity and Data Management Practice Leader, Tom Skoog at firstname.lastname@example.org or call at 614-220-4131.