Organizations attempting to buy or renew cyber insurance policies confront an imposing mix of challenges, changes and value-added services. A volatile marketplace features soaring premiums, more coverage limitations, non-renewals, and intensifying underwriting scrutiny along with a growing assortment of new pre-and post-data breach offerings.
“Companies rated best-in-class in terms of their cyber risk management capabilities are seeing rate increases of 20% or higher,” reports John Farley, Managing Director – Cyber Practice Leader at insurance broker Arthur J. Gallagher. “If a company doesn’t have important controls in place, it may face 100%, 200% or even 300% premium rate increases. If a crucial control like multi-factor authentication is absent, a company may get non-renewed.”
As part of our information security and data privacy work, Protiviti regularly consults with leading brokers (like Farley) and cyber insurers (like Trent Cooksley, Co-Founder and Chief Operating Officer, Cowbell Cyber, Inc.) to keep apprised of marketplace developments. Our recent discussions and collaborations indicate that CISOs in the market for new cyber liability insurance policies should understand market trends and then address policy-purchasing considerations.
Premiums are not the only factor cybersecurity insurance buyers should weigh. Coverage limits – the amount an insurer will reimburse a customer that experiences a loss – also matter. These limits are declining in the current market, which has been hardening since 2019 amid a surge of ransomware incidents and other cyber threats. A carrier that offered $10 million for a specific coverage limit in 2020 may have reduced that same coverage limit to $5 million in 2021.
“There are no signs that the frequency and severity of cyber attacks will decrease in 2022,” Farley reports. “Companies are in a difficult situation due to rising rates and coverage being scaled back by carriers. Capacity is shrinking, so we are in a tough spot right now.”
While underwriting and renewal processes have grown more involved and burdensome, the remediation work it produces could lay the groundwork for a softer market. “The optimistic view is that the difficult questions underwriters are asking will get better controls in place,” Farley says. “The pessimist will point out that hackers tend to pivot: every time we get an effective control in place, they figure out a way around it. Still, I’ve got to believe that all of this work will generate long-term benefits for the market, but it’s probably going to take a couple of years to move the needle.”
Cooksley agrees, and he credits policyholders for becoming much more knowledgeable about cyber insurance and the actions needed to reduce losses. “We’ve all made a lot of progress, so I’m optimistic,” he continues. “Some of the coverage that was offered in the market three to four years ago was mispriced, and that led to policyholders thinking that cybersecurity insurance wasn’t something they needed to spend much time thinking about. That mindset has done a ‘180’ in the past 24 months.”
Factors to consider when selecting a cyber policy
In light of the different components of cyber insurance policies and the adjustments insurers are making to them, “it’s extremely important to understand how a policy is configured,” Cooksley asserts. “Policies are often configured in a very complex way, and they typically vary from company to company.” The following steps can help cyber insurance buyers obtain more coverage and lower premiums:
1. Pick the right purchasing team: Cyber insurers routinely ask dozens of questions about an organization’s information security program, practices and controls during the underwriting process. Cooksley emphasizes that it’s important to provide accurate and complete information in response by seeding the team with sufficient expertise. The CISO, CFO and general counsel often guide a policy purchase. In larger organizations, a risk management team responsible for cyber insurance coverage might lead the way; operational leaders may also be involved. When answers to an insurer’s underwriting questions reveal shortcomings, those security lapses should be quickly remediated.
2. Consider a broker: Smaller organizations, especially those that outsource some or all of the IT function, should consider hiring a broker to facilitate the policy purchase. Brokers possess current knowledge of a complex and rapidly changing cyber insurance market, and they typically obtain quotes from several different insurers. Brokers also know which carriers specialize in certain industries, which explains why mid-sized and larger companies also use their services. Brokers typically help organizations understand and quantify cyber security risks based on industry claim volumes, loss amounts and other benchmarking data – and they play a key role in preparing their clients for intense underwriting scrutiny.
3. Ensure critical controls are in place: “If you don’t have sufficient security controls in place, there’s a good chance you will not qualify for a policy,” Farley notes. “Or, if you do – your premiums probably will be through the roof and your coverage will be scaled back significantly. Taking a hard look at how you’re protecting your IT infrastructure along with identifying and remediating gaps can be time-consuming. We like to give our clients plenty of time to address controls before we put them in front of an underwriter.” It is important to note that remediating security gaps before buying or renewing a policy can be time consuming, therefore, it is imperative to allocate the right resources – time and money – to accomplish that before starting conversations with the underwriter.
Multifactor authentication, data backup, patch management, endpoint detection, input detection, incident response systems and employee training also figure prominently among the security controls that insurers assess with the greatest rigor. Organizations that evaluate and, when needed, strengthen these controls prior to reaching out to cyber insurers are more likely to experience a smoother underwriting process that yields more favorable premiums and coverage.
4. Do your homework or plan for a lengthy application or renewal process: The cyber insurance market has hardened recently, extending the timeline to buy or renew a policy. If you invest time upfront to deploy critical controls (and become more secure), getting cyber coverage can be easy and quick. If not, be prepared to invest time from key decision-makers in the underwriting process – which now ranges from three to six months in duration depending on the company’s risk profile – and may involve extensive back-and-forth between the carrier and the purchasing team. In addition to focusing on important security controls, insurers want to know how the organization manages third-party vendors that handle sensitive data, what the cyber event response plan calls for and the extent to which their IT infrastructure has security vulnerabilities. To that end, some carriers will ask to deploy scanners, crawlers and related automation to conduct automated scans of networks. When a carrier’s scrutiny of an organizational information security capability yields impressive results, it can result in lower premiums, better coverage, and much faster policy issuance, Cooksley notes.
5. Take full advantage of pre- and post-breach services: Cyber insurance policy providers offer a growing portfolio of services. Pre-breach offerings are designed to fortify security and enhance prevention and detection. These services may include referrals to information security consultants, improvement recommendations, employee training, tabletop incident-response exercises and continuous monitoring interfaces. Post-breach services include incident hotlines as well as referrals to external legal firms, “breach coaches” and forensic specialists.
Taking full advantage of a cyber insurer’s services can limit premium increases, ensure robust policy coverage and help the organization respond more effectively when an incident occurs. Cyber attacks with the potential to inflict losses beyond thresholds established in the policy should be communicated to the insurer quickly so that all of the actions in the incident response plan – including complying with relevant state, federal and international regulations concerning data privacy and cyber attack disclosures – are performed.
Claim reporting requirements are clearly stated in each policy. CISOs, risk officers and general counsels should know those requirements cold. “You can get into a sticky situation if you haven’t reported an incident that you are contractually obligated to report to your carrier,” Farley adds. “A lot of policies indicate that carriers are not required to cover remediation costs associated with a cyber event that is reported too long after the insured becomes aware of it.”