With cybercrime on the rise, private capital is finding cyber insurance hard to come by. In this Q&A, Anthony Catalano, RSM US LLP, opines on the risks cyberattacks pose to private equity and venture capital funds and how cyber liability insurance has responded.
The threat of cyberattacks, particularly ransomware, to global business rose sharply during the pandemic as work-from-home policies stretched the networks of many companies. With attacks becoming more frequent and sophisticated, how are private equity and venture capital (PEVC) funds protecting themselves and their portfolio companies?
The increasingly digital environment has led to an elevated level of cyberthreat activity, resulting in middle market PEVC funds scrambling to transfer risk through cyber liability insurance (CLI). Unfortunately, finding any level of coverage is increasingly challenging. Already this year we have seen several funds denied cyber insurance, which was unheard of in years past.
This belt-tightening by cyber insurance carriers is directly tied to the losses they have incurred from ransomware breaches. We are seeing attacks in every industry and the financial demands are getting much higher. Cyber insurance companies are simply refusing to take on excess risk, causing a major shift in the marketplace.
Midsized businesses face increased risk because many do not have adequate controls in place. If middle market PEVC funds want to protect themselves and their portfolio companies from cybersecurity threats, they will have to adjust their approach to address liability risk.
How has the insurance industry responded to both the heightened demand and liability?
While it was once commonplace for cyber insurance companies to accept risk transference from organizations, they are now limiting business for their own protection. The RSM US Middle Market Business Index 2021 Cybersecurity Special Report discusses important changes in the cyber insurance marketplace, including reduced capacity, rate increases and underwriting scrutiny.
More emphasis will be put on a company’s policies, procedures and control capability related to cyber exposure. PEVC firms that do not have a minimum viable cybersecurity program in place are having to pay exorbitant premiums to get liability coverage at all.
What is a common misconception that PE firms have regarding cyber insurance and how should they approach it?
Demonstrating cyber insurance readiness increases a PEVC fund’s likelihood of securing adequate liability coverage. A minimum viable security program should include penetration testing, policy and procedure, governance, program management and posture matching. Without these foundational elements, obtaining an insurance policy will become more difficult or cost-prohibitive.
PE firms need to understand that CLI is not a standalone solution for cyberthreat protection but rather part of a larger risk management strategy. Rather than worrying about how much cyber insurance is needed, PEVC funds should focus on bolstering their cybersecurity controls and then transferring residual risk, in that order. In other words, avoid putting the cart before the horse or face increased challenges in transferring that risk properly.
A minimum viable security program should include vulnerability scanning, security awareness training, policy and procedure, governance, incident response and business continuity capability, as well as multifactor authentication and endpoint detection and response. Without these foundational elements, obtaining an insurance policy will become more difficult or cost-prohibitive.
