The pandemic has caused a wave of cybersecurity insurance claims. In response, many insurers have dramatically increased rates or reduced coverage to customers amid the deluge of remote workers and cyberattacks. Getting ahead of the curve is the best way to avoid an unpleasant surprise when renewal time rolls around.
Hefty Payouts, Higher Premiums
The true cost of ransomware is phenomenal. Far more than the direct demands, it’s also ruined networks and caused business interruption and loss of reputation. In 2020, insurers paid out $416 million for claims. In the first six months of 2021, they paid out $590 million according to a report by the Treasury’s Financial Crimes Enforcement Network (FinCEN)
All the mounting expenses led both US and European insurers to raise their premiums. Rates have nearly doubled in the US and spiked nearly 75% in the UK. In the most extreme cases, policy rates increased by 300%.
However, even with these dramatic increases, it’s more complicated than just charging people more and calling it a day.
Buttoning Up the Coffers
Attackers aren’t just playing a numbers game, going after swaths of companies and individuals until they find one who manages to turn a profit. On the contrary, some are becoming exceptionally sophisticated, going so far as to do their homework about what kind of policy their victim has as they believe there will be a higher likelihood of payout.
So now, not only is it harder to get more insurance, but it also costs more and covers less. That’s an unfortunate triple whammy if you happen to end up on the wrong side of an attack.
To stay in the game, insurance companies who still offer coverage want to see as much prevention as possible from clients. Much like a home insurer might incentivize you to buy a smart smoke detector or wired alarm system, cyber insurers are partnering with clients that prioritize cybersecurity.
There are minimum security standards that underwriters are increasingly expecting clients to meet in order to even be considered for coverage. If enterprises misrepresent their policies or fail to maintain the integrity of their security, the insurer might be able to deny a claim in the case of an attack.
Don’t Get Blindsided
Now is the time to find out what your policy covers and what cybersecurity safeguards your provider requires. For instance, if one of your vendors is breached, will the insurance company cover the losses? If a government-sponsored group hacks you, will this be covered? What about if an employee loses their iPhone and it is used to breach your company? With the way the winds are blowing, it’s very unlikely that a cyber insurer will pick up the tab for any of this.
What You Can Do
While every insurer has their own expectations as to what makes for quality cybersecurity protections, there are at least a few minimum steps you should be taking to prepare:
- Virus scanning: This precaution should check for nearly any kind of malware. Look for programs that identify unusual patterns that may indicate an emerging threat (attempting to undermine the scanner).
- Real-time network monitoring: Security personnel need to be alerted of incidents immediately, and not in a report several days later.
- Policies: Written policies not only standardize your security, but they also give employees a reference when they’re unclear about what to do.
- Multi-factor authentication (MFA): A security control that has become nearly ubiquitous, this simple step can be a great way to force attackers to move on.
- Security testing: Your security controls and testing must be strong enough to block most threats and detect those that manage to break through.
- Data recovery: Businesses should ideally have a thorough recovery plan should they be attacked. Reducing business interruption as much as possible is the best way to stave off the worst of a breach.
How an MSP Can Help
The right MSP or MSSP (managed security solution provider) can help you both implement and maintain a cyber insurer’s requirements, which can be the key to keeping your policy active and mitigating threats.
The benefit of this is really two-fold. Not only are you less likely to have to deal with the fallout of a hack, but you’re also more likely to be compensated should an overly ambitious criminal manage to snake their way through your security controls. Considering just how cautious insurers are being, there’s really no time to waste if you want to keep some type of coverage.