With the rising complexity and sophistication of cyberattacks, cyber insurance continues to evolve in a way that takes a much more active role in a policyholder’s cybersecurity posture. Long gone are the days where cyber insurance could be tacked on to an existing liability or property policy and be written up in 15-30 minutes.
Today’s cyber insurance practices require a level of compliance that involves a deep dive into every facet of an organization’s security environment – and that can be daunting. That’s why we brought together cybersecurity experts Lewie Dunsworth and J.R. Cunningham of Nuspire, and cyber insurance consultants Ethan Harrington and Mary Roop of 221B Consulting, to help navigate the intricacies of this ever-changing industry.
Cyber insurance wasn’t always as hands-on and meticulous as it is today. When it came onto the scene around 20 years ago, the cyberthreat landscape looked very different, and insurers weren’t sure how exactly to cover it.
“If I go back about 15 years ago, Ethan and I put together one of the first cyber insurance policies at H&R Block,” said Lewie. “Cyber insurance underwriters were asking really basic questions like, ‘Do you have antivirus?’”
Today, Lewie says, cyber insurance providers have increased the sophistication and complexity of their policies, aligning with the increase in the types and impacts of cyberattacks.
“Now, we’re seeing providers leverage cybersecurity experts to assess businesses on a much deeper level,” said Lewie. “They’re asking questions like ‘How many privileged users do you have?’ or ‘How many service accounts do you have?’ It’s all about making sure businesses are maturing their security programs at the same pace that cyber criminals are evolving.”
Like any insurance policy, cyber insurance policies can vary by carrier, but they all have commonalities. A high-level definition of cyber insurance is that it covers damages and losses due to a network security failure caused by a cyberattack or other tech-related risk or consequence (e.g., data breach, ransomware, malware, phishing/whaling or cyber extortion).
“Cyber insurance doesn’t just cover cyberattacks, but rather any tech-related risk,” Ethan said.
There are two types of costs a cyber insurance policy typically or potentially covers:
Frankenstein of coverage
“We’ve seen an incredible evolution of cyber insurance over the last 20 years,” said Ethan. “It used to be what we’d call a ‘Frankenstein of coverage,” where cyber coverage was tacked onto general liability or property policies, and underwriting meetings would often last just 15-30 minutes.”
There was also “silent coverage,” where if a company had a general liability policy that didn’t specifically exclude cyber coverage, then it would default to providing cyber coverage to the policyholder.
Market correction vs. market shifts
In the insurance industry, it’s typical to see a market correction every three to five years. Market corrections are spurred by a variety of factors, including a large number of claims, change in exposure, a specific industry getting hit harder than another, etc.
A market shift, on the other hand, is much more of a wholesale change. And that’s what we’ve been experiencing since 2019 (and especially in 2020).
“We’ve seen a shift in focus in the way carriers underwrite their policies – for example, asking to see complete financials, business projections and strategy,” said Ethan. “What we’ve also witnessed is a much deeper focus on the CISO, including their education, certifications, members of their team and more.”
“From a CSO perspective, I can say the caliber of insurance reps asking questions is wildly different than just a few years ago,” said J.R. “Today, folks on the other end of the phone are real, credentialed cybersecurity practitioners.”
Ransomware-specific cyber insurance changes
The number of ransomware attacks doubled from 2020 to 2021, and the industry has seen a 400% increase in ransomware claims.
“Ransomware is the No. 1 topic we get asked about,” said J.R. “Because the financial implications are very real, ransomware drives a lot of the activities within security programs.”
Because of ransomware’s prevalence and cost implications, there have been changes in waiting periods. At one point, affected companies only needed to wait six or eight hours to begin recovering losses; however now, waiting periods have increased to 24+ hours.
“What that means is if you’re back up and running within 24 hours of the attack, you don’t have an insurable claim,” Ethan said.
There have also been changes in sublimits, which are limits placed on the amount of coverage available to cover a specific type of loss. For example, if your total coverage limit is $50 million, you may have sublimits that will only pay out a portion of that amount – say $10 million – for a ransomware-related event.
Notice of Non-renewal
Carriers are sending more notices of non-renewal due to a large increase in cyber claims over the last few years. This can be a scary thing for businesses to encounter, because it often feels like it came out of the blue.
“We often get lulled into a sense of security when a policy is renewed, but it’s incumbent on us to remain vigilant throughout the policy period to ensure you stay compliant,” Ethan said. “Start planning your renewal at least three months in advance, and make sure the risk manager and CISO are on the same page.”
Non-renewals can be poorly-written when it comes to explaining why a business is losing coverage, so it’s important to connect with the carrier to fully understand the basis and potential remedy.
“Sometimes non-renewals are the result of something minor,” said J.R. “For example, a carrier runs a scan on your environment and finds a service or perceived threat vector that’s actually benign. Non-renewal notices don’t take into account why you’re running a particular service, so it’s important to address that with the carrier.”
Incident/Breach Response – can I use other providers/products?
Insurance providers have list of recommended vendors, called a data security panel, to assist in an organization’s response to a data incident. However, sometimes the organization has a preferred provider that isn’t on the list. According to Mary, organizations have the ability to add these providers, but it requires a fairly extensive pre-approval process.
“We recommend pulling together a list of providers at least one year prior to cyber insurance placement or renewal,” said Mary. “This gives the carrier plenty of time to vet your providers, and you time to respond to information requests.”
The vetting process can be quite extensive – expect to answer questions like:
Mary recommends making a list of secondary providers to have in your back pocket in case primary providers are unavailable. This gives cyber insurance providers assurance that there’s back-up if needed.
The insurance industry is laden with terms that are potentially unfamiliar to most security practitioners or may have non-obvious meanings. To help, we’ve compiled a handy PDF with the key terms and their definitions. You can download it here.
And remember, when in doubt, always ask an insurance expert.