Cybersecurity insurance has become an increasingly important consideration for businesses in today's digital age. With data breaches and cyber-attacks becoming more frequent and sophisticated, companies need to ensure that they have adequate protection in place.
This new reality has cybersecurity insurance providers reevaluating the market and their position in providing coverage, which means coverage is not being renewed or premiums are increasing. Cyber insurance premiums increased by an average of 28% in the first quarter of 2022 compared with the fourth quarter of 2021 (CNBC). Insurance companies are not afraid to say no to new coverage requests or renewals if an organization’s defenses are lacking or data recovery plans are inadequate.
Cyber Insurance companies are now circulating screening documents and checklists to help determine the overall risk that covering an organization poses. Part of that questionnaire requires detection and response capabilities.
While cyber insurance can provide valuable protection and support in the event of a cyber incident, it also presents several challenges that companies need to be aware of.
Those challenges are:
- Coverage limitations: One of the biggest challenges with cyber insurance is that policies often have strict limitations on what they will cover. For example, some policies may not cover losses sustained by third-party vendors, such as cloud service providers, or may exclude certain types of incidents, such as those caused by employee negligence. Companies need to carefully review their coverage to understand what they are and are not protected against.
- Cost: Another challenge with cyber insurance is the cost. While the cost of a policy can varies depending on the level of coverage and the size of the company, insurance can still be an expensive investment. For smaller companies, the cost of insurance may be prohibitive, especially if they already have limited resources for cybersecurity.
- Claim denial: A third challenge is that insurance companies may deny a claim for a variety of reasons, such as a failure to comply with policy requirements, such as regular security audits or breach notifications. Companies need to be aware of their obligations under their policy and ensure that they are meeting them to avoid having a claim denied.
- Slow claims processing: In the event of a cyber incident, time is of the essence, and companies need to be able to respond quickly to minimize the impact of the breach. However, the claims process for cyber insurance can be slow and complex, with many steps involved in evaluating and settling a claim. This can lead to delays in receiving the financial support that companies need to respond to a breach.
- Inadequate coverage: One of the biggest challenges with cyber insurance is that companies may not fully understand the coverage they have and may assume that they are adequately protected when they are not. For example, a company may have a policy in place, but the policy limits may be insufficient to cover the cost of a major breach.
So, what do insurers expect?
It all comes down to the organization's security posture. Does the organization have the right controls in place to mitigate the impact of a cybersecurity incident? Though not a comprehensive list, every organization should have the following 10 controls in place:
- Access Control: Ensuring that only authorized users have access to sensitive information and systems.
- Antivirus/Anti-malware: Protecting against viruses and malware.
- Firewall: A barrier between a trusted internal network and untrusted external networks.
- Encryption: Protecting sensitive information in storage and in transit.
- Backup and Disaster Recovery: Ensuring data and systems can be recovered in a disaster.
- Patch Management: Keeping software and systems up to date with the latest security patches.
- Awareness and Training: Educating users about potential security threats and how to avoid them.
- Network Segmentation: Dividing a large network into smaller, more secure segments.
- Intrusion Detection and Prevention: Monitoring network activity for signs of attack and taking actions to prevent it.
- Regular Security Assessments and Audits: Regularly evaluating security controls and ensuring they are functioning properly.
Even with all these controls in place, there are still caveats to making certain an organization has the right coverage to protect their organization!
What questions should you be asking?
- What types of incidents are covered by the policy, such as data breaches, cyber-attacks, and business interruption?
- Does the policy cover the cost of investigations, notification, and credit monitoring services for affected individuals?
- Is there a limit to the amount of coverage provided?
- Does the policy cover losses sustain by third-party vendors, such as cloud service providers?
- Is coverage provided for damage to electronic data and software?
- Are there any exclusions to the coverage, such as failure to implement adequate security measures?
- Does the policy provide coverage for extortion demands, such as ransomware attacks?
- Is there a requirement to notify the insurance company promptly in the event of a breach?
- Does the policy provide for ongoing support and resources, such as access to legal and technical experts?
- What is the process for making a claim and how long does it typically take to receive payment?
In conclusion, cyber insurance is an important consideration for businesses, but it also presents several challenges that companies need to be aware of. Companies need to carefully review their coverage, understand their obligations under the policy, and ensure that they have adequate protection in place. By being aware of these challenges and taking the necessary steps to address them, companies can better protect themselves against the monetary impact of a cyber incident.
If you are not sure where to start, Critical Path Security is ready and willing to assist you! We will help you prepare for meeting and exceeding cybersecurity insurance controls and requirements and work with your organization to prepare for a potential cybersecurity incident!