DO NOT DESPAIR if your cybersecurity insurance provider informs you that they are not renewing coverage for your business, or your application for a cyber liability policy is denied when you initially apply. There’s plenty of options available to your business, and we’ll walk you through them here.
There are 5 main reasons why your business might be denied cybersecurity coverage:
- You’ve recently experienced a cyber attack
- You haven’t attained the minimum acceptable security controls
- You have too much sensitive information
- You asked for too much insurance coverage
- You are asking for insurance from the wrong insurer
Each of these situations has a solution. Once you’ve determined which situation(s) you are in, follow these recommendations to find a way forward.
Scenario #1: Prior Security Incident
It’s common for an insurance carrier to cover your business through one cybersecurity attack, but then cancel your policy or not offer a policy renewal once your contract ends. If this happens, work with your insurance broker and move on to another insurance provider.
You will need to report to a new insurance provider that you've experienced a prior cybersecurity incident. They will require that you share how the attack happened and what your response was.
Expect that any new insurance company will require strict security controls and proof that you have implemented changes to your workstations, servers, and networks to avoid another security incident.
Once you've experienced a cybersecurity attack, be prepared for added barriers like only qualifying for insurance with higher annual costs, higher deductibles, and stricter limitations on what will be covered.
Scenario #2: Required Security Controls
In a companion post, we covered the 6 critical security controls you must have in place. Most cybersecurity insurance providers will request a self-report on your security controls via a questionnaire, so looking back over that questionnaire should give you clues about which security controls you were missing. The insurer may also tell you that your lack of MFA or failure to properly patch your systems was the key reason you were denied.
We’ve seen an increased use of online scanning tools to qualify cyber insurance buyers. Many cybersecurity insurers now require a report from BitSight, Vanta, or SecurityScorecard (to name a few in this crowded space) before they will issue insurance. Even if your insurer does not require a report from one of these platforms, you could opt into performing a 3rd party controls assessment of your infrastructure. These risk assessment tools have the benefit of giving you a tailored report about your business’ weaknesses, often with recommendations about how to address them. These can give you a prescriptive path to get your controls up to an acceptable level.
Net Friends also provides services and consultations to our NetVisor customers on a regular basis to ensure they have the security controls in place to protect them from cyber attacks, as well as help them readily secure cybersecurity insurance.
Scenario #3: High Volume of Sensitive Information
It typically takes having millions of PII records to make an insurer opt to deny coverage on this factor alone. If your business was denied coverage for having too much sensitive information (often called Personal Identifiable Information, or PII), you still have a few options.
First, make sure that your business has a very good reason to store, transmit, and/or maintain PII. Sometimes we find that a business stores a lot of PII but no longer needs to, potentially because of a past business venture or an acquisition.
If you discover that your business has a lot of PII unnecessarily, then we strongly encourage that you eliminate this data according to your data retention requirements and within the bounds of any regulations that might apply to your business.
Keep in mind that to fully remove data from your system, you also have to cycle out your data backups and confirm you eliminate all copies of the data.
Second, if your business does have a good reason to handle PII, then critically examine whether there are ways you could deidentify the data. There are multiple tools that can assist with this, but most require someone with programming skills to properly implement. This will become an expense for your business, but it will also significantly reduce your potential liability and reputational harm in the event of a data breach. More information about how to properly deidentify data can be found from government resources, like the Department of Health and Human Services.
Third, if you do find that you need to maintain a lot of PII data, look to see if you can increase your security controls to add more layers of protection around your data. Be prepared to make a case to a future insurance provider about all the safeguards that mitigate your risks of data loss. Net Friends can help you improve your security posture and critically examine your existing security controls so we can identify more effective ways to protect your business.
Scenario #4: Coverage Limits
When you are requesting cybersecurity insurance, you are actually requesting coverage for multiple (often 30 or more) specific risks. And what you are also doing is transferring risk from your business to the insurer. Sometimes, you can transfer too much risk and ask for limits that are too high, thus coming across as too great of a risk to the insurer.
We often think of just the top liability coverage limit (the big number), but additional risk costs are specified in most policies.
Breach notification response, data restoration, public relations, and computer fraud all have a specific claim limit and deductible amount. If you request too high of a claim limit, or too low a deductible, this could make an insurer see your business as too much of a risk and result in a denial. A good insurance broker, like The Insurance People, will properly consult you through the process to ensure you get the right mix and balance of claim limits and deductible levels.
Scenario #5: Insurer Mismatch
If your business gets denied cybersecurity insurance coverage because your provider is no longer offering it to any business, rest assured that there are multiple underwriters and insurance carriers out there! While there are a few insurance underwriters who got burned by large ransomware payouts and are no longer in the cybersecurity insurance space, there are dozens more insurers that are finding cybersecurity insurance to be a profitable business. Your insurance broker should help you match with a good insurer for your business and help you maintain coverage.
Sometimes the main problem isn’t that you are denied coverage, but the annual premium for the insurance is just too high. If that’s the case, then explore other insurance providers through your broker to see if you can get a better rate. Make sure your insurance broker is helping you get full credit for all the hard work you are putting towards implementing strong security controls and reducing your sensitive PII data.
Every business needs cybersecurity insurance to mitigate the risk of a security incident or data breach. Having cybersecurity insurance is a competitive advantage and shows that your business takes cybersecurity risks seriously. You should not have to resort to just keeping some funds in capital reserves (also known as a “rainy day fund”). Make sure you have a great working relationship with your insurance broker, as they can help you avoid getting denied or help you find coverage elsewhere if you do get denied.
We encourage all businesses to review this 13-item list of critical cybersecurity controls, and if you don’t have solutions in place for any one of these, please reach out to Net Friends today!