Cyber Insurance Requirements 2021
Have you purchased cyber insurance and now seeing increased underwriting information on your renewal?
Or are you thinking about buying cyber insurance for the first time and concerned you may not fit the requirements of insurance companies to get coverage?
In this post and video I’m going to talk about:
The cyber marketplace in late 2021 and what’s going on.
So you’re either facing a bit of a challenging cyber insurance renewal and you’re wondering what’s going on, or you’re thinking of buying cyber insurance and you keep hearing stories about stringent underwriting requirements.
Let’s take these as two separate subjects.
First, you have cyber insurance and you’re facing greater underwriting scrutiny.
This is not uncommon. Many cyber insurers have stepped up their underwriting guidelines as well as their pricing structures in late 2021 in response to the tremendous increase in claims and ongoing threats.
An industry rating agency reports the loss ratio for insurers of stand-alone cyber insurance policies went from 34% in 2018 to 73% in 2020. We’re expecting that loss ratio which measures the volume of loss dollars spent divided by the premium volume for that line of business to worsen dramatically for 2021. Much of that impact is due to ransomware.
You are not being singled out for increased underwriting scrutiny!
All insureds are seeing increased underwriting questions, supplemental applications, and the depth of questioning.
What we’re seeing in many cases is that underwriting questions are no longer simple yes/no questions that can present limited information to an underwriter. Instead, we’re seeing more questions asked in an open-ended fashion like – please describe your backup systems, or please provide details on how you authenticate wire transfers. Underwriters and technical experts hope to gain a greater understanding of a firm’s security posture by doing so.
For larger firms, insurers want to know more about your preparedness and compliance plans including recovery plans should a cyber event hit your firm. Not only will having the proper written plans in place satisfy your insurer, but they will also help to mitigate the cost and duration of an event should you be hit.
Another underwriting tool being deployed by several insurers is a cyber risk assessment tool that scans an insured’s perimeter security and provides a report back on two major areas – open port vulnerabilities and CVEs – Common Vulnerabilities & Exposures. CVEs are software vulnerabilities that can be exploited by hackers. If a security posture scan reveals weaknesses in these two areas your current policy may not be renewed if these issues are not resolved.
Here are the big five underwriting issues outside of risk assessment scans we’re seeing commonly today:
- Questions revolving around Multi-Factor Authentication or MFA. If you’re not deploying MFA on remote access, email, or other privileged access points this will be problematic.
- Back-ups – the frequency of backups, the method of backups, and the archiving of backups are questioned. In addition, we are seeing questions relative to the last time you tested back-ups successfully.
- Remote Desktop Protocol or RDP management or disablement to prevent threats of ransomware delivery.
- Encryption on mobile devices.
- Wire transfer protocols mandate a secondary means of authenticating wires over a certain dollar limit.
Now, a lot of clients say “I’m not sure how to answer some of these questions” I get it, and I’m no technical expert either, but what’s important is that you don’t guess. Get your MSP involved to answer them with you. If you’re afraid that your answers may increase your premium or decrease your chances of getting a favorable renewal don’t sugarcoat the truth or make assumptions that it’s not really a big deal.
These questions ARE big deals and need to be handled properly because failure to be truthful or failing to fully disclose answers could land you in trouble if a claim occurs.
So, how do you make sure you get the best renewal outcomes as possible?
First, start early. Your broker will likely send you a cyber renewal questionnaire 2 to 3 months prior to your renewal. Don’t delay in filling that out and getting it back to them. There may be follow-up questions and back and forth so giving yourself plenty of time in advance of the renewal is critical.
I know, I know. I hate filling out forms as well – especially when it’s technical, but don’t procrastinate. That does no one any good in the long run.
Second, well prior to getting that form, have a conversation with your MSP or your IT department and review some of the issues I’ve presented here. Is everything up to snuff? Is there anything you’re not doing that you should do in order to improve your security posture? Have you been holding off on an IT investment that you should pull the trigger on?
Answering these issues before the renewal process starts puts you in a much better position than not lifting the hood and peaking around inside your IT infrastructure.
Okay, now let’s talk about the company that hasn’t purchased cyber insurance and they’ve heard that it’s increasingly more difficult than it was in the past.
This is true.
As I mentioned in the first part of this video, there is increased scrutiny on underwriting, IT security posture, and how you manage cyber risk.
But that doesn’t mean it’s impossible. Especially if you’re a small firm under $5M in revenue. For many small businesses, there are still many cyber insurers that can quickly and easily get through the underwriting process. You still need to have encryption, MFA, have an acceptable backup strategy, and a secondary means of verifying wires, but the underwriting intensity is lessened.
Here’s the bottom line.
Whether you’re a small firm looking to purchase cyber for the first time, or you’re a larger mid-sized firm approaching a cyber insurance renewal, you will need to demonstrate a higher level of security and awareness than in the past.
This is not a bad thing. It’s good for you in two ways. The first is that better security lessens your chances of being breached, and the second is that your insurance pricing will be better than the average.
Wrapping this up, I think one thing is more evident today than even a year ago. The threats your firm faces from cyber risks are only going to grow. Those threats have the ability to shut down your operations, hold you, hostage, destroy your valuable data and systems. It also can destroy goodwill and your reputation, putting your firm’s sustainability at risk. That means you’ll need to invest more each year in your IT infrastructure and probably your cyber insurance as well.
Have other questions or concerns around cyber risk?
Not feeling you’re getting the support you need from your current broker?
Looking for answers to questions?
Give me a call or drop me an email. My goal is to help you have the peace of mind you’re looking for and that doesn’t always mean selling you a product. Let’s chat and see if I can answer your questions and if we might be a good fit for your business insurance needs, we can explore that conversation as well. No pressure, no heavy-duty selling tricks – just some conversation.
You can get started by clicking the button below.