Insurance for Cyber Risk exposures has been in existence in some shape or form for roughly 20 years. Most business owners did not see a distinct need for, or lacked trust in, the cyber insurance policies that were offered in the early years. When news of network breaches started becoming more prominent (Target breach of 2013, Sony breach of 2014) the business community started to take note. Even then, many businesses considered that the bad actors were only interested in hacking large corporations, not small and mid-sized enterprises (SME’s). Now, one only need open a newspaper or a trade journal from literally any industry to see these events trending upwards, significantly, and no industry seems to be safe.
In more recent years many organizations have recognized the risk from cyber losses as a significant exposure for their business and have purchased cyber insurance to help manage the financial losses associated with that risk. The additional upside of purchasing cyber insurance is the ability to make full use of the breach response capabilities that many of the high-quality insurance companies include as part of their policy offering.
Historically the leading concern for business was their exposure to a network security breach that exposed personally identifiable information (PII) of customers or employees and the related costs for notifications and credit monitoring for impacted parties, liability to those whose PII had been accessed, the costs to investigate the cause and extend of the breach as well as remediation of the network. While a breach impacting PII remains a primary loss exposure, today’s cyber insurance policies, unlike their earlier predecessors, cover a broad range of losses including damage to network systems, business interruption losses, ransom/extortion events and crime losses, among others.
Prior to the onset of Covid-19, cyber insurers were seeing a notable increase in claims related to ransom/extortion events as well as crime losses. The crime losses were often a result of deceptive fund transfers, sometimes referred to as social engineering losses.
So why the history lesson? Because to put it simply, that was then, and this is now. Let’s explore what’s different.
Losses. And lots of them. What really concerns cyber underwriters today is the proliferation of ransom/extortion events as well as social engineering claims. There has been a surge in successful, and sometimes large, ransom events that have changed the way cyber underwriters are vetting existing and prospective policy holders to establish eligibility for coverage. In addition, underwriters are changing the pricing model of policies in a way that reflects the heightened risk to ransomware and overall Cyber losses in general.
As recently as last year, many cyber insurers were asking relatively few questions beyond what a short application requested for information on the business and their network. Pricing was generally favorable for both small and large businesses. Enter 2021, and all that has changed. Underwriters are asking more questions, a lot more, about cyber hygiene employed by the business and overall network security hardening. For the businesses that exhibit strong cyber resilience it is still not uncommon that the underwriter will look for increased premium, higher deductibles and possible a cap on the limits of insurance they are willing to offer. We expect this to be the new normal of cyber underwriting at least into 2022.
There are many reasons a given business may not have their network security hardened to the extent that cyber underwriters are now requiring. It could be the lack of time, people, and resources necessary to address everything on their network security to-do list or they may not have the internal talent necessary to identify and execute the critical elements of good cyber hygiene. But importantly, cyber underwriters are now identifying minimum network security protocols that must be in place if they are going to offer renewal coverage on existing policies or agree to write a new policy. The intent is not to be unreasonable but rather to provide the necessary guidance on what minimum security standards should be employed by the business to eliminate the most glaring pathways for the threat actors to access their network and therefore reduce the loss potential for both the insured and the insurer.
The cyber underwriters list of risk mitigation requirements grows based upon the size and scope of the insured business. Different underwriters may have different mitigation requirements but in virtually all cases, cyber underwriters now require dual factor authentication (2FA), also known as multi-factor authentication (MFA) on email and remote access for all businesses, regardless of size. Businesses that lack this may find that coverage is unavailable to them or at a minimum, see much higher premiums as well as coverage restrictions. In addition, most carriers will also require backups in the cloud (or otherwise segregated from the network).
Many cyber underwriters now utilize remote scanning tools to assess the security of public facing websites to determine if there are other obvious deficiencies in the security protocols of a business. Using these tools an underwriter can determine if a business has open, unsecured remote desktop protocol (RDP) ports on their network. If these are spotted the underwriter may require that they be disabled or secured with MFA.
Here are the top questions Cyber underwriters are asking these days
- Does the business have MFA in place for email and remote access users? (Critical)
- Does the business regularly run offline segregated backups? (Critical)
- Has the business disabled RDP. If RDP is still used for remote access, have all RDP ports been secured? (Critical)
- Does the business have spam filtering and email configuration?
- Has the business deployed next generation anti-virus software: Behavior-based protection?
- Does the business have privilege segmentation for IT users?
- Does the business have a process in place to regularly download, test, and install patches within 30 days of release on their computer network, including modem and firewall patches?
- Does the business encrypt all sensitive and confidential information on their computer network?
- Does the business have regular network security training for all employees (at least once per year)?
- Does the business employ an intrusion detection system (IDS)?
- Does the business conduct mock phishing and employee training activities?
Is it necessary to have all these security protocols in place for your business? Given the proliferation of threat actors and the security breaches they intend to inflict on your network the goal for every business should be to harden the entire security ecosystem to minimize the threat of a compromised network. Each of the underwriting questions outlined above should be considered as part of your network security risk management assessment.
Reviewing and updating your network security approach should be part of a transition to the concept of cyber resilience—not only working to secure data and systems, but also an assessment of your staff training, processes, technology, and strategy for when those security measure fail.
Interested in learning more? Contact us at firstname.lastname@example.org or call us at 952-707-8200.