It's tough out there in Insurance-Land!
As recent as 5 years ago, insurance companies were readily promoting cybersecurity liability coverage as an add-on or expansion of Errors and Omissions (E&O) policies for small businesses. This was before Ransomware-as-a-Service was perfected by REvil, Maze, and other malicious actors, resulting in $20 billion worth of damages in 2022 alone. The insurance claims for ransomware attacks have skyrocketed in frequency and scale, significantly escalating year-over-year price increases.
According to a recent report from the insurance broker Marsh, the 96% climb in year-over-year price increase for cybersecurity insurance was due to 4 key factors:
- Cybersecurity insurance is far less profitable
- Cyber attacks aren’t always isolated events, throwing off actuary models
- Fewer insurers are participating in the cybersecurity market
- Many remaining insurers are reducing their approved policies to limit their exposure
Any one of these factors would significantly drive-up costs for businesses seeking insurance coverage. Add them all together and it creates an insurmountable upward pressure on costs. Even though the need for businesses to be covered by cybersecurity insurance has never been greater, the costs are getting so high that many small businesses have no choice but to take their chances on avoiding an attack.
Securing Cybersecurity Insurance
The process of applying for cybersecurity insurance is quite involved. There are multiple questions on a broad range of topics, from policies to tools to training. The forms are impossible to fill out without knowledgeable IT staff to assist. Getting answers to all the questions requires gathering information from multiple sources, both in the organization and from vendors like Net Friends.
Considering the way the questions are worded, it’s pretty clear that if you answer to the effect of “we don’t have that in place” or indicate that something is “not fully implemented”, then the insurer will reject your application and not issue a cybersecurity insurance policy for your business.
Anecdotally, Net Friends is aware of multiple businesses that are unable to even secure cybersecurity insurance at any price. The typical reason why their application for insurance is denied is due to one of these core factors:
- Too much sensitive data
- Industry segment is considered too high-risk
- Recent cybersecurity incident
In each of these cases, the next option is to work with an insurance broker to see if there’s a potential underwriter who will provide a policy or a pathway to gain one.
Any well-run business who is in a high-risk industry, has lots of sensitive records, or has experienced an attack is going to actively seek coverage to offset their risks.
While the insurance market has contracted recently, there are alternative options that a good broker can help you explore.
Non-Negotiable Cybersecurity Controls
One of the best outcomes to emerge from insurance companies influencing IT best practices is the attention they have drawn to the essential security measures that need to be implemented in an organization. Insurance companies are highly incentivized to identify the security measures that are the best at preventing an attack or mitigating the damage a successful attack can cause.
Unfortunately, the number of claims over the past several years have provided a lot of data points to insurance companies to hone their list down to 13 core controls that need to be in place. The first 6 items (in bold) are non-negotiable requirements that all businesses must have implemented in order to get cybersecurity insurance coverage:
- Multi-Factor Authentication (MFA) for all remote access and privileged controls
- Email Security
- Web Security
- Privileged Access Management (PAM)
- Secured, encrypted, and tested backups
- Endpoint Detection & Response (EDR)
- Patch Management
- Cyber Incident Response Planning & Testing
- Security Awareness Training
- Hardening techniques, like limiting RDP
- Logging and monitoring protections (SIEM)
- EOL systems replaced via life cycle policy
- Vendor and supply chain risk management
Partner with a Security-First IT Partner
Net Friends managed services offerings can help ensure your cybersecurity controls are properly put in place and managed so you can fully protect your business. With a proactive plan to meet the non-negotiable requirements listed above, we can help you reduce the costs for cyber liability coverage.
Meeting these requirements not only improves your chances of securing cybersecurity insurance, but they also help you demonstrate less concern for risks and negotiate a better rate.
We want to help your business gain the protection that comes from both having best-in-class IT controls in place, and from confirming that your insurance provider can provide additional coverage should your controls be breached. We encourage all businesses to review the 13-item list above, and if you don’t have solutions in place for any one of these, please reach out to Net Friends today! You don’t want to scramble to implement them after you are denied insurance or after a cybersecurity attack.