How do insurance buyers and their corporate stakeholders manage this unprecedented volatility in the cyber insurance market? We’ll outline that policyholders can take in collaboration with their brokers and carrier partners to ensure they are driving positive results on their cyber renewals while also maintaining a grounded set of expectations.
1. Don’t Become Complacent About Cybersecurity Controls
Continue to push and empower your chief information security officers (CISOs) to further strengthen your company’s cyber security posture. Multi-Factor Authentication, EDR, Backups, privileged account management, and training/awareness continue to be the best prevention to most ransomware and data breach events.
2. Review Your Policy’s Exclusions and Restrictions
Challenge your broker to outline to you where you may have lost coverage over the last few years and where there may be opportunities to reintroduce broader coverage to your program. Make time to truly understand how your cyber (and professional liability) policies dovetail with your risk. Ask yourself:
- Did you have to take on a ransomware sublimit or co-insurance on your policy recently?
- Are you exposed to GDPR (General Data Protection Regulation) or BIPA (Biometric Information Privacy Act) claims due to a novel exclusion inserted in the policy last year?
- Were there war-related or systemic event-related exclusions, and do you have a plan to address the unprecedented nature of these coverage restrictions?
3. Determine How Your Business Practices Affect Cyber Risk
Understand how your business has changed and evolved over the past few years—maybe even as a result of the pandemic. These changes may have increased your cyber risks. Ask yourself these questions:
- Is there an increased work-from-home presence?
- Have you migrated employee or customer data to the cloud?
- Are you engaging in more complex marketing and data collection practices?
- Have you introduced biometric collection to your systems?
- Are you operating unsupported or end-of-life systems in your network?
- Has your regulatory landscape changed by virtue of new geographies you serve or new statutes/regulations?
4. Know the Benefits of a Long-Term Relationship with Your Carrier
Never underestimate the gravitas of a long-term relationship with your carriers. The most overlooked benefit of the insurer and insured relationship is the concept of “premium in the bank.” While every carrier—rightfully so—will stress that the insurability of any claim is strictly contingent on the four walls of the policy, there is something to be said for having a multi-year relationship with an insurer for accommodations, exceptions, and improved claims outcomes. Furthermore, if you have a multi-line relationship with your cyber insurer, there is even more weight behind the concept of premium in the bank.
5. Ensure New Carriers Offering Lower Quotes Will Provide the Same Coverage
Understand that a competing quote at a lower price or deductible will almost certainly come with changes to your coverage—most of which are to your detriment. A competing primary quote that undercuts your program (especially in a drastic way) requires some healthy skepticism and research. Is the alternate quote from a newer carrier that is trying to buy your business year one? Has the underwriter demonstrated a comprehensive knowledge of your risk profile to be “fully on board” with insuring your organization over the long term?
6. Learn from Your Own Claims Data
Review and contemplate your company’s claims activity. Have you reported any claims that have resulted in losses paid by your carrier? Are those claims reflective of poor controls around data security or resiliency? What lessons did your company learn and what controls did you implement as a result of the loss?
7. Test the Market If You’re in Doubt
If in doubt, undertaking a marketing exercise will help you gauge how the broader insurance ecosystem views your risk, which can help inform you on how to best adjust your company’s cyber risk management strategy accordingly.
If you cannot clearly glean where you stand with your carrier relationship or you have issues with coverage, pricing, or claims handling that are not being resolved, test the market. A broad marketing exercise is going to be a heavier lift for your team from a data collection standpoint, but it is imperative that you and your broker engage in this exercise if it is appropriate to “roadshow” your risk to understand your worth as a client to the marketplace.
If you’re unhappy with your job, doctor, or contractor, don’t you usually shop around? Use that same pragmatism for your cyber insurance buying strategy. The market is in flux, and not asking the question means the answer is always.