Is Your Company Up to Speed on Cyber Insurance?
November 04, 2021
Why keeping pace with the requirements of your cyber insurance provider is essential to protecting your company from risk.
Ransomware attacks on businesses and other organizations have been rising steadily in the past decade. In 2020, the situation reached an inflection point, with global ransomware attacks rising by 62 percent over 2019, according to one report. As if things couldn’t get worse, another report shows that volume shot up by 151 percent in the first six months of this year compared to the same period in 2020.
The constant threat of ransomware — and other emerging attack types, like supply chain exploitation — is driving a corresponding demand by businesses for cyber liability insurance. In fact, cyber products are one of the fastest growing segments in the insurance industry. But the blistering pace at which threats emerge is also creating issues for providers, who wrestle with questions about accurately quantifying cyber risk and deciding how coverage is granted.
78% of G20 companies were negatively impacted by a cyber attack within the past 12 months. — 2021 FTI Consulting 2021 Resilience Barometer®
As a result, the cyber insurance market has hardened, with sharp increases in premiums and providers scrutinizing the cyber readiness of organizations more closely.
Securing cyber insurance is an imperative. A policy offers the benefit of potentially offsetting costs related to cybersecurity incidents, such as recovery efforts or post-incident investigations, and transferring cybersecurity risk outside of the organization.
Given the state of the market, what do insured organizations and those interested in cybersecurity insurance need to know?
Start by considering the position insurance providers are in today with regard to ransomware. The existing coverage model that permits payment to nefarious actors has been criticized for incentivizing organized crime, leading to development and growth of the threats to a level that is increasingly financially unsustainable to all parties impacted.
To counter this evolution, insurers have begun to mandate that companies have in place certain basic cybersecurity measures prior to offering coverage, along with an increase in coverage restrictions. For example, organizations are expected to have multifactor authentication and offline backups — key controls to combat ransomware attacks. These measures can also help soften the blow post-attack, requiring less money to be paid out by the insurance firm.
Providers are also assessing the cyber risk posed to an organization by its third-party vendors. Driven by a startling breach of a third-party vendor used by U.S. federal agencies and high-profile companies with global implications, providers have set expectations for protective measures prior to offering coverage. These require organizations to prove they have adequately addressed their third-party cyber risks. If they cannot, the provider may walk away from the table.
These trends demonstrate that insurers are moving away from traditional compliance questionnaires and are instead focusing on resilience.
Expectations of Regulators
Keeping pace with more stringent requirements from cyber insurance providers means that policy holders must have a more informed understanding of their own cybersecurity risk. The financial implications around poor practices demand improved due diligence within cybersecurity maturity assessments. This not only helps quantify risk exposure for providers but coincidentally makes a better case for an organization’s coverage.
Regulators are adjusting to the fast-moving cyber insurance market by continuously reviewing policies, procedures and requirements that apply to organizations. Much of the work of regulators is to ensure that insurance firms identify, understand and price for cybersecurity risks and that they also hold sufficient capital to cover the risk. Insurance firms need to calibrate what the potential exposure from a cybersecurity incident could be and how it might diversify with other risks.
Certain regulators require that insured organizations have in place an operational resilience procedure that activates in the event of a cyber incident, such as a contingency plan for business continuity. Regulatory compliance requires that enhanced detection and prevention measures are implemented and that adequate cyber insurance is purchased.
The following points are measures organizations must take to meet provider expectations:
- Cybersecurity Program Assessment: This analysis will help determine an organization’s most critical cybersecurity risks, as well as how adequately vulnerabilities are assessed, helping meet industry standard best practices.
- Cybersecurity Hygiene: Ensure that cybersecurity basics remain an enterprise-wide priority. That includes regular patching, consistently saving files to offline backups, and always using a virtual private network (VPN) when working outside of the office.
- Cybersecurity Risk Management: Include cybersecurity risks as part of the operational risk management process. This will ensure cybersecurity risk is appropriately accounted for when considering organizational risk acceptance and risk mitigation plans.
Time Will Tell
Overall, the regulatory response in developed markets has been robust and commensurate in light of the ever-changing landscape. However, the space is evolving rapidly, new exposures are regularly being created, and cyber actors are continuously adjusting their game plans. Regulators, risk managers and underwriters need to continue to closely monitor developments in the months and years ahead to stay up to speed.
It could be suggested that the growth of cyber insurance, the subsequent hardening of the market, and evolving regulatory requirements will incentivize better cybersecurity practices. Time will tell.
© Copyright 2021. The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
About The Journal
The FTI Journal publication offers deep and engaging insights to contextualize the issues that matter, and explores topics that will impact the risks your business faces and its reputation.