Cyber insurance. A risky business!
As the frequency of cyber attacks increases and incident recovery becomes more expensive, it is important for businesses to have cyber insurance to reduce the potential losses associated with such events. In fact, such coverage is something we expect will become mandatory for all kinds of contracts and agreements in the future.
Unfortunately, despite the necessity, affordable cyber insurance with good coverage is not always so easy to find. You see, cyber insurance is a relatively new field and insurers are constantly re-assessing how they quantify risk in the ever-evolving digital world. In fact, some insurers have decided that providing cyber coverage is just not worth it and have pulled out of the market completely, as we discovered right before our own insurance renewal was due last year!
What did we do? How did we get by? Read on brave soul, read on!
A race against time
As a Payment Card Industry Qualified Security Assessor (PCI QSA) company, we’re required to maintain a range of insurance coverage, and we need to have the PCI Security Standards Council (SSC) listed as an interested party on a number of policies.
A lack of required coverage would be grounds for immediate cancellation of our QSA company status, so you can imagine our concern when we learnt that our previous insurer would not renew our insurance only a few weeks before our existing coverage was due to end. No ifs, buts, or maybes. Just no renewal!
Now, DotSec is a company with a squeaky-clean record – not a single claim in our 22 years of business – but our previous insurer still deemed us to be not worth the risk. I queried this with our broker and it turned out in fact that the decision was nothing to do with DotSec: The insurer had simply decided that the risk associated with providing coverage for any managed security service providers (MSSP) was unacceptable. And with that decision, they removed themselves from that market!
Fortunately, our crisis was averted when our broker found a new insurer with many days to spare! But as we breathed a sigh of relieve, the entire adventure made us wonder what would happen with insurance in 2022.
Well, that was all a year ago. It’s now 2022, our policy renewal is quickly approaching, and we’ve observed a few trends over the past year, trends which we think will impact all businesses that need insurance coverage against cyber attack.
Increasing cost for coverage
The first trend that we’ve noticed is that insurance premiums are increasing, and in some cases, they’re increasing dramatically. For example, on top our base premium we were informed that coverage for social engineering, phishing and cyber fraud would incur a 25% premium increase; and if we wanted contingent business interruption coverage, we would incur an additional 10% premium increase.
That’s an increase of 35% on the base premium for a company with no claim history at all! But I consider that we’re the lucky ones because these increases are happening all over the world, and some smaller businesses noting increases of over 100%. Our 35% increase is a good deal!
Increasing conditions of coverage
The second trend we’ve noticed is that the insured’s cybersecurity maturity can influence the level of coverage insurers are willing to provide. Insurers are increasingly asking prospective insured to report on their cybersecurity maturity through extensive self assessment questionnaires (SAQs)… And we do mean it when we say that they can be extensive! For example, one SAQ that we have worked with while assisting a number of national customers is made up of around 16 pages, each with between 8 and 20 questions per page. Think of the PCI DSS on steroids, with a focus on sensitive corporate data rather than Cardholder Data.
Completion of these forms is a lengthy process. Jesus Gonzalez, Cyber Chief of Staff, Aon Insurance notes that large enterprises “can expect a 10-fold effort [i.e. work that needs to be done by the enterprise] to renew their program and should allocate a sufficient amount of time by aligning internal resources including CISO, legal, compliance, and procurement to successfully address all insurance market inquiries surrounding their E&O/Cyber program. Cyber insurance markets are now requiring baseline application, supplementals (including ransomware), and a formal underwriting meeting to address any/all questions surrounding their cybersecurity hygiene. We are advising clients to start four to six months in advance of their renewal date.”
If organisations cannot demonstrate a suitable level of cybersecurity maturity, insurers may deem them too high of a risk and not worth covering. At least, not without significantly higher premiums, an even higher excess, lower sub-limits, or co-insurance clauses where the insured must share a defined percentage of the claim cost with the insurer.
Cyber insurance: A risky business
The increase in premiums, the requirement for better cybersecurity maturity reporting, and the increase in exclusions and co-insurance should be no surprise to anyone, given the stunning increase in the frequency and cost of cyber attacks over the past two years. Let’s take for example (as if more examples were needed) the recent Sophos State of Ransomware 2022 report. It shows that here in Australia:
- 80% of Australian respondents experienced ransomware attacks over the course of 2021 and of those targeted, 43% paid ransoms of between US$100,000 and US$499,999.
- 91% of Australia respondents said their organisation had cyber insurance that covered them if they were hit by ransomware.
And that explains what we ourselves have experienced: When a broad range of businesses rely on insurance instead of preventative security measures, and the general level of cyber maturity is so low that most targeted businesses succumb to attack and then claim on their policy, there can only be two outcomes:
- Some insurers pull out of the market because it’s not worth it, and uninsured businesses pay the ransoms from their own pockets.
- Those insurers who stay in the market:
- Increase premiums, exclusions and co-insurance (for everyone) so that the risks associated with payouts are covered, and all insurable businesses pay the increase from their own pockets.
- Increasingly reject coverage applications from those businesses that used to rely on insurance instead of implementing preventative security measures to a reasonable extent. And those uninsured businesses pay the ransoms from their own pockets.
It’s hard to see how this can be a surprise for anyone. Consider for example what would happen to car insurance coverage if a large majority of vehicle owners routinely left their cars unlocked… in dark alleyways… with the keys in the ignition. So what to do?
Well first up, don’t wait until your cyber coverage application or renewal is due. Start early, really early, to give yourself time to understand changes in requirements and coverage.
Secondly talk with your broker (well before the coverage due date) to investigate alternatives (if needs be), and to mitigate shortcomings that may limit or prevent your ability to obtain coverage at an affordable price.
And finally (of course you knew this already!) talk with DotSec. We understand cyber maturity, security control frameworks and standards, and we partner with an advanced and leading InsurTech (a business who leads in the digital transformation of the insurance industry) company to help our clients control cyber risks and minimize risk exposure.
Cyber insurance: A risky business! But that doesn’t mean you can’t influence odds!