Cybersecurity Insurance Trends

Escalating Risks for American Businesses:

IBM defines cybersecurity as “the practice of protecting critical systems and sensitive information from digital attacks.” In reality, the average cost of a data breach in the United States in 2020 was $8.64 million (source). Here’s a common scenario, and how it plays out for an unfortunate business owner on some random Saturday evening…

An opportunistic hacker discovers a vulnerability that allows him/her to exploit your business information, sensitive financial accounts, personal emails, and passwords. Your company, along with dozens of others, is now barraged by a wide vector of unrelenting cyberattacks. As the clock ticks, your data is auctioned off on the dark web to the highest bidder.

Microsoft responds quickly and develops a new security patch to stop these threats from proliferating by Tuesday afternoon… just a few days later. Then on Thursday, antivirus providers are scanning computers worldwide to block/remove this newly-created malware.

Hurray, problem solved! Right? Unfortunately, your business has already been compromised.

So what’s the next step? You would probably dig out your insurance policy from a file cabinet or search for it in the “deleted” folder of your favorite email client. You might be surprised to discover that insurance companies have moved quickly over the last few years to shield themselves from financial responsibility for cyberattacks against your business. Here’s how:

Premium Increases

Some cybersecurity insurance providers have increased premiums by over 10x compared to what was seen in 2020! This can be contributed to a couple of key factors:

1. Rise in number of claims: As businesses recognize the need for cybersecurity insurance more are signing up. Unfortunatly, many are still operating with 2010 technology and practices that are leaving them vulnerable. This poor IT hygiene is leading to a significant claim percentage for insurance portfolios.
2. Increased claim payout: The cost for these claims has risen signifcantly. As an example, Merck’s $ 1.4 Billion insurance claim is the largest we have seen! For the organizations that choose not to pay the costly ransom, they find themselves paying incident response teams for forensics and remediations. Then, they need legal council to determine who needs to be notified of the breach depending on the cyber security forensics and applicable laws in their industry. Between all of these factors, Palo Alto Networks identified that “among the dozens of cases that Unit 42 consultants reviewed in the first half of 2021, the average ransom demand was $5.3 million. That’s up 518% from the 2020 average of $847,000.” https://www.paloaltonetworks.com/blog/2021/08/ransomware-crisis/
3. The calculation of risk: likelyhood*impact=risk Insurance providers are simply using this logic to determine that it is time for them to adjust their rate or go out of business.

New Approval Processes – Mitigating the Risk

How does any business deal with the calculation of risk? Lessen the likelihood and impact. The cybersecurity insurance providers see this and it is coming through even to the application phase. What used to be a simple rider on an E&O policy has changed to a dedicated cyber policy with pages of interrogative questions about your business operations. Do you use 2FA on all applicable systems? How long do you keep backups? How do you store them? Is there a patch policy? Do you perform cyber security training? Do you have a password policy? Password manager? The questions go on and on.

The Mistakes – Shifting the Risk

If risk can’t be mitigated, it is often shifted. The temptation for most executives or owners is to have your trusted business admin complete the application for you. So, let’s take 2FA as an example but the principles can extend to all of the above:

1. Business admin is busy and asked to perform a task outside of their skillset.
2. Out of ignorance, negligence, or lying they mark that all systems are using 2FA
3. A breach occurs
4. Forensics finds a compromise on systems without 2FA
5. Insurance provider denies the claim
6. What happens next??

It appears cybersecurity insurance providers are prepared to force compliance or deny claims. The risk is just too high.

The Silver Lining

If everyone is saying these things are best practices, how do you implement all of them in your business? Operationally and financially this can be daunting! It can feel like climbing Everest. I will tell you, it comes down to two main things:

1. Strategically creating policies and procedures to mitigate your risk
2. Systematicaly auditing the enviroment to prevent deviation from the standards above

At SUURV, we utilize the vCIO to determine what the best practices are for your business. We take into account your industry, vision, and the factors that make your business unique. Then, we ensure you don’t deviate from those best practices with proactive audits from our TAM. This creates a reliable, documented, and predictable environment that mitigates risk and can be accounted for.

With the vCIO and an audit trail on your side, you can have the confidence to answer those pesky questionnaires. Insurance is the last resort; however, so is a reserve parachute. Last I checked, most people use one when they skydive and check it prior.