Cyber insurance trends and best practices: An evolving landscape
With cybersecurity attack attempts and successful breaches surging, cyber insurance has never been more valuable to middle market companies. However, the cyber insurance landscape is changing as long-standing risks increase and new ones emerge. In the past, cyber insurance was relatively inexpensive, but the increase in attacks—especially ransomware—has drastically changed policy requirements while also increasing costs.
The current cyber insurance environment
Unfortunately, we are seeing attacks in every industry, and the financial demands are getting much higher. Criminals know that more companies are buying cyber insurance, and this has made them even bolder—if they have insight into what a policy covers, they will ask for a ransom that the insurance company will cover. The odds of a security incident having a major impact on your business have increased—this has made providers more nervous about the coverages they offer and has led to some fairly significant changes.
Some of the more recent, important changes in the cyber insurance marketplace include:
- Reduced capacity: Insurance carriers are not comfortable with giving as much coverage, because they know there is a higher probability of having to pay out that amount.
- Rate increases: We are seeing a 25% to 100% increase in rates to account for higher, more frequent losses.
- Underwriting scrutiny: Underwriters have gone from asking very little about an organization to basically wanting to be a part of your IT team. They are asking more questions about controls, and if they deem you high risk, they may not offer you coverage.
Simply applying for cyber insurance has become more involved. Insurance companies have enhanced their application questionnaires to understand whether a company is at risk for ransomware and various other types of cyberattacks. Carriers use these yes/no questionnaires to score applicants and set insurance rates, as well as determine whether they will offer a policy at all.
These questionnaires are a critical part of the insurance process, and you need to fill them out as accurately and completely as possible to ensure you don’t compromise your rates or eligibility for coverage. The number of “no” answers you give could disqualify you for coverage—so thorough assessment of your risks before you apply is critical.
Ensure you are fully protected from cyberattacks. Although ransomware is a huge problem right now, it isn’t the only cyberthreat. In most cases, ransomware is the final step of a full compromise of an organization, so you should have coverage for the overall business. Other types of malware attacks and theft of intellectual property still happen, and data loss due to intentional or unintentional employee missteps still occurs, so your policy should account for the full spectrum of risks.
The growing importance of cyber insurance
Although the cyber insurance market has become more complex, it remains a key pillar of an effective cybersecurity approach. Even in recent years, many companies may not have been completely familiar with how policies work or what coverages were available. However, we now see signals that the middle market is better embracing cyber insurance as a key protective measure.
The RSM Middle Market Business Index 2021 Cybersecurity Special Report found that 65% of respondents currently use a cyber insurance policy to protect against internet-based risks. That number has steadily risen each year, and represents a 3% increase from last year’s data. Similar increases were seen in the data for larger middle market organizations that carry a cyber insurance policy (71%), as well as their smaller counterparts (59%).
A cyber insurance policy is only as good as the details of the protections it offers, and the MMBI survey found that companies have an increased awareness of their coverages, which is a positive sign. In the current environment, with providers frequently making changes to coverage limits and options, you should stay in contact with your vendor and make adjustments as needed to make sure your protections meet insurer expectations and provide proper coverages.
Three steps to optimize your cyber insurance investment
The changes taking place in the cyber insurance market will lead to increases in premiums and, in some cases, result in dropped coverage. However, three fundamental steps can position your organization to be better prepared and optimize your cyber insurance coverages and costs:
- Assess your cybersecurity program: What is your business doing that exposes you to cybersecurity risks? How many of those risks are still evident after applying certain controls? What decisions do you need to make to address those remaining risks?
- Plan for the future: Establish a balanced program with investments focused on managing risk across key cybersecurity areas.
- Go for quick wins: For maximum impact on your coverage, make immediate adjustments such as implementing multifactor authentication on external connections, removing local admin rights, hardening email accounts, undergoing incident response exercises, and ensuring patching is up to date.
In the current threat environment, cyber insurance is an imperative protective measure for middle market companies. The financial, reputational and regulatory impact that breaches often create can be extremely harmful, and a well-designed cyber insurance policy can help lessen those damages.
Taking the right steps to shore up your cybersecurity approach will show insurers that your company is taking a proactive stance against threats and reducing vulnerability against emerging risks—better positioning you to keep your policy in effect, and save money.