Cyber insurance coverage requirements
More risk means tighter qualifications and higher premiums when it comes to insurance — cyber insurance is no different. The past few years have seen enormous increases in cybercrime and, not surprisingly, skyrocketing claims.
Plus, many companies may be surprised to learn their insurer is no longer including cyber coverage in their general business insurance policies. They need to apply and qualify for it separately.
Get your company ready for cyber insurance underwriting
- Antivirus + Remote Management/Monitoring (RMM)
- Multi-Factor Authentication (MFA)
- File Backup/Restore
- End-User Security Training
Stats driving cyber insurance changes
The pandemic has pushed cybercrime into overdrive, with remote working and digital transformation without proper risk management being the prime drivers.
Cybercriminals are getting bolder and adding new tactics. For example, ransomware attackers are using “name and shame” to coerce companies to pay up even if they can restore from backups to avoid having their sensitive data published online. The FBI issued a warning in March 2021 about malicious actors who are now using deep-fake video and audio scams, and nation-states have moved beyond targeting critical infrastructure to focusing 90% of their effort outside the sector, according to Microsoft’s Digital Defense Report.
All of these trends are alarming for business leaders. They create both increased risk and an increased need for cyber insurance. But companies like yours aren’t the only ones facing higher risks.
Insurance companies face higher risks, too
Cybersecurity insurance is unlike other insurance in that it’s relatively new and not yet well-established or widely adopted by C-suites. Plus, it’s unpredictable. This means insurance providers might not have enough money from cybersecurity policyholders to cover just a few major simultaneous incidents. Even with reinsurance, providers’ risk is increasing substantially, according to Harvard Business Review.
The greater risk means that insurance providers offering cyber insurance have to be pickier about who they insure, charge higher premiums to cover the risk, and, potentially, revise what they cover. Some providers, for example, now only cover ransom paid to ransomware attackers under a separate policy or rider — ransomware attackers know they are more likely to get paid by companies that have cyber insurance, putting ransoms in a different risk category. Other providers are offering lower limits.
Why insurance companies are beefing up their approval processes
To determine a company’s risk profile, providers look at the company’s loss experience, industry, location, individual account specifics, and the security questionnaire. The questionnaire can be complex – asking about the security framework you follow, what you use for intrusion detection and security monitoring, how you manage backups and backup encryption, how you protect company data on mobile devices and other details. Your IT department or managed IT provider can answer accurately.
Now insurance companies are going deeper.
To validate the self-reporting, some insurers are conducting penetration tests on your company to see if their experts can get into your system. If they can, the provider may either turn you down, allow you to remediate the problems, or be satisfied if you can provide proof that you’re moving toward a more mature cybersecurity posture. The proof might include providing your IT security roadmap, signed proposals for professional services engagements, or a recent risk assessment report.
What you can do to get a good cyber policy and premium
Everything that improves your qualifications for cyber insurance revolves around assuming more responsibility for protecting your IT environment.
The actions range from performing basic IT hygiene and using multi-factor authentication (MFA) — often a policy prerequisite — to upgrading your security policies and procedures to practicing your incident response and disaster recovery plans.
At a minimum, protect and defend your environment:
- Apply the most recent patches and updates to all of your systems as soon as they are available (applications and appliances in addition to Windows)
- Implement Multi-Factor Authentication (MFA)
- Replace or retire hardware and software that have reached end of life
- Use data encryption
- Use concise access controls and permissions
- Identify your most critical business information and store it on ransomware-resistant backups
- Train and test your employees
To further reduce your risk, contain and monitor your environment:
- Perform network segmentation and enforce firewall policy-based boundaries within your environment
- Implement the latest security controls for your network, cloud platforms, and endpoints
- Monitor for stolen or compromised credentials
- Proactively look for software and system vulnerabilities
- Require your third-party vendors to meet the same security standards you meet
- Update and practice your Incident Response Plan (IRP)
- Update and practice your Disaster Recovery Plan (DRP)
Finally, consider hiring an external security firm to try to penetrate your network before insurance company experts try.
The bottom line is clear. The more cyber risk your company can manage through proactive security programs and options that cover at least some of your potential financial loss, the more attractive you are as a cyber insurance client.
About Plow Networks
Plow Networks is a leading IT services provider, connecting businesses to technology since 2012. With deep expertise in network, cloud, and end user support services, we partner with clients to leverage technology in ways that simplify operations and fuel growth. Plow Networks is based in Brentwood, Tennessee.