Many organizations have historically made decisions to transfer cybersecurity risk by purchasing a cybersecurity liability insurance policy from an insurance carrier. Transferring risk has become popular because the magnitude and variety of cybersecurity risk that organizations are attempting to manage is overwhelming and resources to mitigate or eliminate the risks are scarce. Obtaining insurance takes the pressure off business owners.
Understanding Cybersecurity Liability Insurance
Cybersecurity liability insurance typically provides coverage for expenses that an organization would incur directly because of a cybersecurity attack or incident. Examples of these expenses include:
- Associated legal fees
- Digital forensic services
- Negotiation and payment of ransom to bad actors
- Incident response and recovery services
- Restoration of systems and applications
- Public relations services
- Breach notification and credit monitoring services
The coverage provided by cybersecurity insurance liabilities has been attractive to many executives because the cost of the policies has traditionally been very reasonable and benefit of transferring complex cybersecurity risk was very convenient.
According to a special report published by FitchRatings in May of 2021, the cybersecurity insurance market grew by a whopping 22% in 2020. The same report indicated that the average paid loss for a cybersecurity claim grew to $359k in 2020 from $145k in 2019. Insurance carriers are excited about the growth of the industry but recognize that underwriting efforts need to be more stringent.
What does this mean for most organizations? It means that transferring cybersecurity risk is about to get complicated (and perhaps more expensive, too!).
Expected Changes for Cybersecurity Liability Insurance
Cybersecurity insurance will continue to be an available option for organizations looking to transfer risk, but insurance carriers are going to be much more particular about their underwriting process. Here are some of the expected changes:
- Expect a more comprehensive application process. Historically, an organization would be asked to provide some basic information about their cybersecurity controls to underwriters via a short form application. Going forward, underwriters are going to dig deeper and request, or even demand, evidence of more cybersecurity controls of applicants. Organizations will have to provide proof of specific controls such as:
- Written information security plans, incident response plans, and disaster recovery plans
- Formal cybersecurity awareness training programs
- Strict access controls
- A sound data backup strategy
- Adoption of Endpoint Detection & Response (EDR) software
- Current operating systems, firmware, and applications all patched regularly
- Expect underwriters to require proof of cybersecurity controls being implemented and functioning as intended. Many underwriters already require applicants to conduct nonintrusive vulnerability scans of their technology environments. There will be similar exercises conducted by them to validate the existence and maturity of cybersecurity controls. Answering a short form questionnaire is a thing of the past.
- Expect automatic declines if key underwriting requirements are not in place. Insurers will be careful not to issue coverage to organizations that have do not have the appropriate plans, controls, and processes in place to mitigate cybersecurity risk.
- Expect premiums to increase significantly. The sharp increase of the average claim paid for cybersecurity insured has underwriters concerned about profitability. There will certainly be a more rigorous underwriting process adopted (as indicated above), but don’t be surprised if that is also coupled with an abrupt price increase.
Great Lakes Computer Corporation Can Help Your Business
The anticipated changes being made to the underwriting process associated with cybersecurity liability insurance will encourage organizations to be more diligent about mitigating cybersecurity risk. Gone are the days when organizations could purchase a policy and not allocate the proper resources (time, money, or human capital) required to build an effective cybersecurity program. Perhaps this will finally force executives to address cybersecurity risk? Which we, at Great Lakes Computer Corporation, couldn’t agree more with. But in order to get approved for insurance, you need to be pass through the application process. We can help you be ready–we can review your security and make recommendations to help you become more secure and to qualify for insurance.