Continued widespread cyber attacks have leaders in just about every industry wary and watchful, and insurance underwriters are no exception. Given the increase in claims from recent ransomware attacks, cyber insurers are requiring even more information as part of their underwriting processes.
Applications for cyber insurance are already lengthy and require detailed information around specific practices, security controls, and protocols in place to prevent or mitigate threats. In order to determine an organization’s cyber risk, insurers need to review the following information:
Cyber Underwriters Will Review Your Information
Industry basics: These questions include how much and what types of information your company stores, processes, and transmits. In addition, underwriters look to see how you manage data security and who’s in charge of overseeing cyber-related matters.
Information security: Underwriters want to know if you have a formal program in place to test and audit security controls. Additionally, they are looking to see if you have controls in place, including but not limited to: anti-virus software and intrusion detection software, firewall technology, employee training (phishing), patching cadence, backup of key systems and databases (testing, disconnecting from network, separately storing), use of protective DNS and managing access (MFA and Privileged Access). Many also require best practices including end-point detection and response (EDR) tools, centralized log monitoring, and network segregation.
Data backup: Knowing how you handle backups help insurers understand your level of data loss risk and recovery. Underwriters want to know if you back up all of your and your customers’ data on a regular basis, if you utilize a redundant network, and if you have a disaster recovery plan in place that has been tested.
Compliance: Failure to comply with cyber-related legislation can be costly, and insurers want to know how you handle compliance with legal and industry standards. They will ask if you’re compliant with privacy regulatory frameworks (such as GDPR, CCPA) and, more recently, if you utilize end-of-life software and hardware.
Company policies and procedures: Communication is important to reducing your cyber risk. Insurers want to know what types of cyber security and incident response policies you have in place. You may also be asked how you handle password updates and employee training.
|In addition to a base application, the cyber insurers are also requiring various supplemental applications, including:
- Ransomware: Are multi-factor authentication for remote and admin access, vendor management, endpoint detection response, email security, patching, data backup and recovery, and other network protections in place?
- Dependent Business Interruption: What are your business continuity plans, incident response plans, and restoration and recovery procedures?
- Operational Technology: What are the practices and technology that monitor and control industrial process assets and manufacturing equipment, as well as those systems that sustain the environment for these systems?
The application process for cyber insurance is both detailed and exhaustive. However, taking the proper steps before the application process should reduce your data breach risk, making your organization more attractive to insurers and reducing your insurance costs overall.
Five Key Steps to Prepare for Cyber Insurance Scrutiny
Whether you are placing cyber insurance for the first time or headed into a renewal, preparation is key to meeting the rigorous demands of the insurers. Here are five steps you can take to ensure the best possible outcome with the level of information now required by underwriters during the cyber insurance placement process.
- Get your teams ready. With the level of information now required by underwriters, you can’t assign the insurance application or renewal process to just one person in your company. When it comes to preparing for the necessary and relevant topics and questions, you’ll need input from experts on various teams, including Compliance, Legal, and Information Security.
- Gather information. Insurers are looking for specific information around your current enterprise information security practices and protections, such as:
- Preparedness and compliance with privacy regulations. What actions are being taken around due diligence and implementing privacy policies, controls, and procedures?
- Protection against ransomware threats and review of audits and penetration testing. How is your company addressing any deficiencies?
- Awareness and protection around network interruptions and better understanding of your backup procedures, business continuity and incident response plans. How is your company testing these areas, and what are the results?
- Vendor management controls. If your business relies on third-party vendors for key information technology and security services, what is your vetting process, and are these vendors subject to the same standards that you have internally?
- COVID-19. Underwriters may ask questions specifically about your COVID-19 practices, such as how you’re responding to increased cyber risks with employees who work remotely, and how you’re training employees to avoid phishing and other social engineering scams.
- Review current controls and policies. Once you’ve gathered all the necessary information and documentation, it’s time to do a review. Do you have best practices in place that the underwriters want to see? If you are missing certain controls, are you working on them now or are they in the pipeline, and can they be completed prior to renewal?
- Address any problem areas. If you’ve discovered deficiencies and vulnerabilities during your internal or external risk audits and assessments, now is the time to start addressing them. Keep in mind that insurers are using similar tools, such as threat intelligence reports, as part of their underwriting process to monitor and scan a company’s networks for vulnerabilities.
- Remediation. If any potential problems are detected, underwriters will want to know that you have taken some type of action, or, at the minimum, have outlined a plan to address and remediate these vulnerabilities. Even if your remediation plan needs to be rolled out in phases over several months, underwriters will want to know it is underway.
- Highlight improvements. Details and transparency matter and can make or break the outcome. Be sure to clearly articulate the investments and improvements you are making in cyber risk mitigation.
If you answer “no” to questions on an application, you should provide additional detail as to why the answer is “no” and whether you have other compensating controls. You can also convey these details via an underwriting meeting/call. These conversations give you the opportunity to speak directly to the underwriters to highlight all the efforts and projects completed in the past 12 months and provide insight into what’s in the pipeline for the next 12 months.
Outcomes If Cyber Controls Are Unavailable
What happens if the insurance underwriter does not see your application responses as favorable? The underwriter could offer your company one or more of the following options:
Limiting the scope of coverage by modifying policy language to specifically include or exclude a specific coverage grant. For example, for business interruption coverage, you have “security failure” coverage (malicious attacks or events, which is more often a standard grant) and “system failure” coverage (unexplained or non-malicious events, which is not standard as it’s seen as a higher risk). Most insurers will provide business interruption for security failure but will limit or not provide system failure coverage.
Adding a sublimit or co-insurance to the coverage. For example, if an insurer is not comfortable with your security controls, they may sublimit and/or require a co-insurance for ransomware coverage.
Charging an additional premium to grant coverage. Insurers may be comfortable with insuring a particular risk, but may charge an additional premium to grant the coverage. So, going back to the example in Bullet 1, insurers might charge 10% to 20% more to offer business interruption coverage for “system failure.”
In order to get a better outcome in today’s cyber insurance placement or renewal, the best strategy is to invest more time into the process.
You can prepare by following the tips in this article, making sure you are thoughtful when articulating your unique risks and insightful when providing information around your controls, processes, and procedures.
One last recommendation is to start early. Aim for 90 to 120 days ahead of the renewal or inception date. When in doubt, ask your broker. Following these recommendations will set the stage for a more favorable outcome, such as better rates and coverage in a cyber market where risks and claims continue to increase and evolve.