How to Clear the Rising Bar for Cyber Insurance
 
 

Cyber insurance providers have become more demanding — charging bigger premiums, setting higher deductibles and requiring better evidence of risk management. But they’re also providing less coverage. How can your business get the affordable insurance coverage it needs in this changing environment?

Cyber Crime Wave Strains Insurance Industry

U.S. premiums increased an average of 79% in the second quarter of this year, after a whopping 133% increase in December 2021, according to Marsh, a leading broker.[1] Yet demand for cyber insurance is still climbing alongside mounting cyber risk. 

What’s driving higher cyber insurance costs? Lloyd’s, the insurance underwriting giant, recently issued the following market bulletin: “The ability of hostile actors to easily disseminate an attack, the ability for harmful code to spread, and the critical dependency that societies have on their IT infrastructure, including to operate physical assets, means that losses have the potential to greatly exceed what the insurance market is able to absorb.”[2]

In addition to paying more, applicants must meet increasingly stringent cybersecurity standards. Due to losses, Marsh said, “Insurers are tightening their underwriting terms, carefully analyzing all cyber insurance applications, and asking more questions than ever before about an applicant’s cyber operating environment and risk controls.”

Certain cyber damages are not typically covered, such as the loss of intellectual property or future profits. Significant, yet intangible, losses to your brand and reputation are also not covered.  Coverage may be capped if the attack involves ransomware or not available if it’s a state-sponsored attack.

Consequently, even as more companies are looking to insure against ransomware and other cyberattacks, security professionals have become less confident in this safety net, according to Mimecast’s forthcoming State of Ransomware report. For example, only 64% of 2022 survey respondents said they believed their insurers would cover ransom payments, compared with 79% last year. 

Companies Need to Improve Access to Cyber Insurance

Depending on company size, industry profile, desired coverage, risk profile, and other factors, companies may pay annual premiums ranging from under $1,000 if it’s a small business to hundreds of thousands, if not millions, of dollars if it’s a major multinational. In return, companies want protection against losing 10 times that amount or more in a cyberattack. 

Many businesses no longer consider it an option to do without cyber insurance. In our State of Ransomware survey, 34% said their companies are insured, and another 37% said their companies requirecyber insurance as a way to offset potential catastrophic loss due to a cyberattack. However, “insureds lacking basic cyber hygiene can expect to see continued significant premium and retention increases, coverage restrictions, and/or overall insurability challenges,” Marsh said.

Companies seeking to acquire or renew cyber insurance policies under the most favorable terms possible need to develop good hygiene in a way that presents a clear and consistent story to insurers. It’s a good idea to think like an insurer focused on business losses when assessing your risk profile, including:

• Your industry’s profile.
• The volume of sensitive data you store and process.
• The potential impact of a cyberattack on business operations.
• Your company’s score on public cybersecurity rating services.

Insurance providers are upfront about their growing list of cyber requirements surrounding companies’ people, processes, and technology. Marsh has published a list of a dozen, including:[3]

• Multifactor authentication
• Email filtering and web security
• Secure backups
• Conditional access management
• Endpoint detection and response
• Patch management
• Incident response plan
• Cybersecurity awareness training
• Hardened systems
• Monitoring
• System replacement at end of life
• Supply chain risk management

In addressing the items on this list, Mimecast’s integrated email security, archiving/backups and cyber awareness training represent front-line defenses, since most cyberattacks originate in malicious emails. We also recommend maximizing your controls with tactics including API integration for threat sharing and orchestrated response across your cloud email and collaboration platforms, numerous endpoints, and multiple point security solutions.

Among other steps, consider following an established risk framework, such as the Factor Analysis of Information Risk (FAIR) model. And conduct tabletop exercises to continually test and strengthen incident response.

The Bottom Line

Rising cyberattacks have driven cyber insurance rate increases and tighter limits on who and what will be covered or not. Assess your cybersecurity people, processes, and technology, and then consider which levers you can pull to reduce the frequency and severity of attacks. From this position of strength, you’ll be better able to provide the assurances that insurers require, manage your premium increases, maximize your policy limits, and overall coverage, and minimize your financial risk.

Next Steps

Contact Mimecast today for a demonstration and assessment of how we can assist you with your cybersecurity. 

[1] “Global Insurance Markets: Moderation in Pricing Increases Continues,” Marsh

[2] “State-Backed Cyberattack Exclusions,” Lloyd’s

[3] “Cyber Resilience: 12 Key Controls to Strengthen Your Security,” Marsh