The Latest Trend in Cyber Insurance: Get Less for More
By Andrew Roberts, Chief Cybersecurity Strategist, cStor
Higher Premiums, Lower Coverage
Given the number of companies that have suffered the ill effects of a ransomware attack, it’s no surprise that the cost of cyber insurance is on the rise. A Reuters article illustrated this trend by noting that American International Group, Inc (AIG) premiums are up nearly 40% (as of August). At the same time, coverage limits are shrinking – some mid-sized businesses that had $10M coverage will now only be able to get $5M.
Travelers explains that there are several factors that are driving up the cost of cyber insurance and none of them are surprising.
- Ransomware (AM Best noted that 75% of all cyber insurance claims in 2020 were for ransomware)
- Rising Replacement Costs
- Increased Response Costs
- Poor Cyber Hygiene
- Lack of Response Plans
- Business Interruption Costs
It’s getting harder to afford cyber insurance. For some companies, it’s also getting harder to buy cyber insurance at any price. Fortunately, there are some steps to take to slow these trends.
What We Can Do
To help control the cost of our cyber insurance plans, and ensure continued insurability, we need to take steps to show our organization is less risky to the insurers. We can do that by addressing as many of the above factors as possible.
Ransomware: We can’t control when or how often ransomware attacks happen, but we can take steps to make sure they have a minimal impact. If we can demonstrate that the existing ransomware protections, including endpoint and server protection and detection mechanisms, are top-notch and properly implemented, it will help our cause.
Rising Replacement: We can’t do much about rising replacement costs, but there are some things we can control to help minimize those costs. If we have proven (i.e., tested) mechanisms to limit the scope and severity of an attack, that will help drive down those costs.
Increasing Response Costs: Limiting the scope of an attack helps reduce the cost of response. A practiced response plan can be executed more efficiently and effectively, further controlling costs. We will talk about response plans in a minute
Cyber Hygiene: Did you know that insurers use tools to evaluate our company’s cyber hygiene when they calculate our cyber insurance premium? Two common ones are self-assessment questionnaires and cybersecurity risk rating services. Look at that questionnaire. If there is a security control mentioned, it would help our case if we can honestly say we have it in place. We can also get our own subscription to a cybersecurity risk rating service so we know what the insurers can see about our hygiene – and take steps to improve that score. Doing so may also help improve our image to our B2B customers.
Response Plans: If we don’t have an Incident Response plan, make one – and don’t skimp on the details. Don’t stop with Incident Response. Remember that a ransomware incident could cause significant disruption to the business. That means we also need to have a rock-solid Business Continuity plan so business can continue during the recovery efforts. Once we have our plans in place, test them, learn from those tests, and improve our plans.
Business Interruption Costs: If our Business Continuity Plan is solid and tested, we should be able to keep working soon after an attack. If our Incident Response and/or Disaster Recovery plans include solid, tested, and immutable backups that can’t be destroyed by attackers and can be restored very quickly, that will also drastically reduce our recovery costs.
Showing potential insurers how well we have addressed these items will help drive down premiums. Showing the same to the Board of Directors will help them be confident that your organization is doing what it should in order to protect itself from attack. That’s a win-win.
Make Insurance Purchases a Team Sport
Once we find that Cyber Insurance policy, make sure to get the right people together to thoroughly read the entire policy before we sign off and cut a check to the insurer. That team should include people from Finance, Legal, and Risk. Don’t forget to include someone with cybersecurity expertise since they are the ones that understand that topic the best.
Have the team read it all with a critical eye. I once reviewed a cyber insurance policy that had an exclusion for “damages caused by unauthorized software introduced into the covered environment”. Think about it: that exclusion eliminates coverage to damage caused by viruses, malware, and yes – even ransomware. Don’t find out too late that we are not covered. Read the fine print before you buy.
If you still can’t get enough coverage, there are some new alternatives appearing in the market. Arctic Wolf recently started offering Service Assurance to their customers. This can help supplement cyber insurance with up to $1,000,000 in coverage.
cStor’s cybersecurity experts can help you address the factors that are driving up your cyber insurance costs and get more strategic about your organization’s approach to cybersecurity. Contact us to learn more.