Cyber Insurance Impact on Business is an article that addresses recent trends within the cyber insurance industry, and how these trends are impacting organizations like yours.
Excerpts appended from databarracks.com.
4 Top Cyber Insurance Facts
#1 Cyber insurance coverage will become a business mandate.
Mitigating risk with a cyber insurance policy is surely a best-practice for all organizations no matter the size. Although there is no mandate by general liability insurance carriers to carry cyber insurance coverage that day is quickly approaching. Several industry experts predict that by 2024 cyber insurance coverage will no longer be optional. However, there is no industry consensus on this timeline.
#2 Ransomware Attacks on the Rise
Increases in the number and severity of ransomware attacks is driving demand for cyber insurance policies.
#3 More Stringent Requirements
Policy underwriters are elevating the number of and depth of requirements to obtain cyber insurance coverage.
#4 Benefit Reductions & Increased Premiums
When it comes to loosing money, insurance companies are just like business owners everywhere – they want to limit risk and maximize gain. Due to the ever-increasing pace and potency of cyber attacks, insurance providers are reacting with more stringent requirements, but once you have a policy in place some insurers are reducing benefits while increasing premiums.
Why cyber insurers have been paying out on ransomware
Insurance companies have been known to prefer to pay out over recovering internally from backups because it seemed like the less costly option.
If the ransom is set at $1m, the insurance company can pay $1m or, it can advise the business to refuse and recover from backups. The recovery may take several days or even weeks. That might mean the business claims $10m from its Business Interruption coverage. Paying the $1m ransom seems like the cheaper option.
That makes sense if you look at each case in isolation. However, if you look at the entire system, it becomes clear that paying out on ransomware is a bad idea. It feeds a vicious cycle of more attacks leading to more pay outs which leads to more attacks. Insurance companies were starting to pay out far more than they could afford.
Changes to cyber insurance coverage
Insurance companies have quickly realized that the situation isn’t sustainable. They are responding by implementing the following changes:
- Increasing the cost of cyber insurance cover
- Having more stringent assessments on a policy holder’s ability to recover without making an insurance claim
- Not paying the ransom
This isn’t unique to cyber insurance. Home insurance requires you to have locks on your doors and windows. Car insurance premiums are lower if you have alarms and an immobilizer.
Cyber Insurance Application Requirements
Most insurance companies have recently revised the application requirements for cyber insurance. Here are the prerequisites and questions your organization will likely have to address in order to qualify for a policy.
- Multi-Factor Authentication (MFA) is a must-have: The vast majority of cyber insurance companies are now mandating that all users as well as the applications/software are protected with multi-factor authentication.
- Are your backups separate from production data? What the insurers want to know is, is it possible for an issue on your production systems to be transferred to your backups. This is a key component that many organizations have struggled to solve. If you have a local appliance or are backing up between sites, sometimes organizations don’t segregate the backups from production data properly. You would always do so if you were sending backups off-site to a data center or the cloud, and you should do the same on your own sites.
- Are backups encrypted? Whether they’re on a removeable media like tape or in a remote data center somewhere, you don’t want them to be readable to anyone.
- Has the recovery process been fully-tested & robust? Practice makes perfect – right? Accordingly, insurers want to know if your backup has been thoroughly tested. The trend is toward requiring evidence of the recovery. Most insurers require proven test results within the last quarter, 6 months, or year. Annual testing at is now going to be a requirement for cyber insurance policies.
- Do you have a Business Continuity Plan / Disaster Recovery Plan / Cyber Incident Response Plan? This doesn’t necessarily mean tomes of documentation. Plans should always be appropriate to the organization. Smaller, less complex organizations don’t need overly complicated plans. In fact, short, clear and concise plans are better. Having a documented disaster recovery plan means that you’ve actually considered and documented how you respond to an incident, how you would recover and keep the business in operation. It’s not good enough to fly by the seat of your pants and work it out as happens.
Additional Details Insurance Underwriters Are Demanding
More sophisticated insurance providers are now asking for backup-specific information like Recovery Time Objectives and how long it would take for you to recover from an incident.
Expect Questions like:
In the last X years – have you had a ransomware attack / notified customers about a data breach / had an outage longer than 8 hours?
Insurers will be checking on your history and record of attacks and outages to see if you are a sensible bet to insure. If you have a track record of attacks, breaches and outages it will be harder and more expensive to find cover.
What is your annual budget for IT / Cyber?
Throwing money at your cyber defense does not guarantee you’re well protected but we assume insurance companies will use this answer as a simple sanity-check to see if IT and cyber is being adequately resourced.
Do you use any software beyond end of life?
Staying up to date with software and patches is one of the fundamentals of good cyber security. You don’t need a big budget to do this well, you just need to have the process in place and the discipline to stay on top of updates.
What cloud services do you use that are essential to your operations?
Your supply chain is critical for you to deliver your services. As cloud adoption has increased, business operations have become increasingly reliant on cloud services like Microsoft 365, accounting, CRM and ERP systems. GBS has not yet witnessed detailed questions about the resiliency of your systems in these cloud services but wed do expect more detailed investigations in the future.
How often to you audit the security of your cloud and other service providers?
Your ability to influence suppliers like cloud providers or service providers is less than the control you have over your internal systems. But, if your suppliers can’t meet your needs, you can take your business elsewhere. It is important that you know how these suppliers operate and treat your data. Insurers expect you to audit your suppliers at least annually or every 6 months.
Value of a Managed Service partner
GBS delivers full-service Managed Services (Managed IT and Managed Security) solutions to organization of all sizes and verticals. We are a leading solutions provider and have been so for over 25 years. Our comprehensive consultation, network design, installation and management work includes cyber insurance readiness planning. As your Managed Services partner, our solutions will help reduce your risk of cyber loss, optimize network efficiencies, and protect your organizations data. Contact us for a no-cost cyber security / cyber insurance consultation.