Cyber insurance is becoming increasingly difficult and costly for both public and private sector organizations. Insurers require their customers to fill out lengthy questionnaires, have no guaranteed coverage after expiration, and have more expensive plans.
Insurance brokerage and risk management firm Marsh reports that US cyber insurance prices rose an average of 96 percent year-on-year in the third quarter of 2021. “Quote – undeniably ‘cheap’ will never be the same again.”
But there could be ways to make reporting more achievable, and Bay and the other panelists address the challenges and opportunities that lie ahead.
Prove good cyber practice?
Kyle Bryant, international chief underwriting officer for cyber insurance and cyber security solutions provider Resilience, said insurance companies are faced with the fact that cyber threats are evolving rapidly and the elements of a strong cyber security posture are likely to change. Is. This has made it difficult for insurers to fully understand the long-term risk involved in covering a customer.
,These are all things that happen in real time as threats change, so a risk that looks good now may not look good tomorrow,” says Bryant. Said.
Insurance companies wanting to better understand the risks are asking applicants to answer a series of questions, said Nick Schneider, president and CEO of cybersecurity firm Arctic Wolf.
“We had some clients here at kickoff recently who told us some anecdotes … and where their original policy was five questions and one guideline, the extension is 300 questions and maybe a guideline,” Schneider said.
However, questionnaires may not be the only way for insurance carriers to obtain information. Bryant said the cyber insurance landscape could evolve as applicants begin sharing data with insurers to demonstrate they are following good cyber hygiene practices. He compared it to auto policyholders having their driving monitored to get lower rates for safe driving practices.
“We have the ability to monitor employees to understand how quickly companies patch their business, how quickly they update their systems. That information is available, but right now there are many cyber security silos. Lots of MSPs sit with us [managed service providers] And many other technologies,” said Bryant.
Both Bryant and Schneider also suggested that insurance companies work with cybersecurity firms that can help them better understand cyber risks.
What do insurance companies pay attention to?
Panelists emphasized that they want customers to think of cyber insurance as backup support for recovering from cyber attacks – rather than making it their full defense and resilience plan.
“Anyone who has household contents insurance does not forget the alarm,” said Schneider.
Insurance companies want to see that prospective customers are following certain best practices that reduce their exposure to risk. Those practices may vary, but Bay said most insurers will reject customers who lack multifactor authentication or who don’t patch it.
Bay said some insurers are in talks to strike a balance and offer some level of cyber coverage on the condition customers follow good cyber hygiene practices. Customers who do not behave properly will see their insurance payments for covered claims lower.
“Now new policy forums are coming out talking about these things like if you haven’t settled in 45 days start lowering your limits,” Bay said. “They’re trying to bring skin into play.”
Is everyone insurable?
Bay also said insurers should reconsider their options for offering cyber insurance.
“I strongly believe that we need to reorder traditional cyber liability until it can almost become a catastrophic loss policy, and then we can have lower limits, more flexible but standardized programs,” Bey said.
In the homeowner space, catastrophe insurance plans protect business and resident policyholders in the event of rare but expensive events not typically covered by standard homeowner’s insurance, according to Investopedia. These can include natural disasters and terrorist attacks.
Bay says MSPs often face difficult coverage prospects, but insurance companies may be more willing to cover them only for catastrophes.
,[MSPs] Supply chains are almost uninsured at this point because of the risk,” Bay said. “Many of these organizations are already doing the right thing, but that still puts them at high risk.”
GovTech previously reported that attacks that compromise MSPs’ services can quickly spread across their customer base: for example, the ransomware attack on IT software provider Kasia affected an estimated 2,000 public and private sector customers worldwide. To the.
Bay suggested that insurance companies may find it more comfortable treating MSPs as a high-risk group, only eligible for catastrophe insurance, and “lower, less expensive, or there is no low-deductible insurance.”