Many organizations have historically made decisions to transfer cybersecurity risk by purchasing a cybersecurity liability insurance policy from an insurance carrier. Transferring risk has become a very popular risk response mechanism because the magnitude and variety of cybersecurity risk that organizations are attempting to manage is overwhelming and resources to mitigate or eliminate the risks are scarce.
Cybersecurity liability insurance typically provides coverage for expenses that an organization would incur directly because of a cybersecurity attack or incident. Examples of these expenses include:
Associated legal fees
Digital forensic services
Negotiation and payment of ransom to bad actors
Incident response and recovery services
Restoration of systems and applications
Public relations services
Breach notification and credit monitoring services
The coverage provided by cybersecurity insurance liabilities has been attractive to many executives because the cost of the policies has traditionally been very reasonable and benefit of transferring complex cybersecurity risk was very convenient.
According to a special report published by FitchRatings in May of 2021 the cybersecurity insurance market grew by a whopping 22% in 2020. The same report indicated that the average paid loss for a cybersecurity claim grew to $359k in 2020 from $145k in 2019. Insurance carriers are excited about the growth of the industry but recognize that underwriting efforts need to be more stringent. What does this mean for most organizations?
It means that transferring cybersecurity risk is about to get complicated (and perhaps more expensive too!).
Cybersecurity insurance will continue to be an available option for organizations looking to transfer risk, but insurance carriers are going to be much more particular about their underwriting process. Here are some of the expected changes:
1. Expect a more comprehensive application process. Historically, an organization would be asked to provide some basic information about their cybersecurity controls to underwriters via a short form application. Going forward, underwriters are going dig deeper and request, or even demand, evidence of more cybersecurity controls of applicants. Organizations will have to provide proof of specific controls such as:
Written information security plans, incident response plans and disaster recovery plans
Formal cybersecurity awareness training programs
Strict access controls
A sound data backup strategy
Adoption of Endpoint Detection & Response (EDR) software
Current operating systems, firmware and applications all patched regularly.
2. Expect underwriters to require proof of cybersecurity controls being implemented and functioning as intended. Many underwriters already require applicants to conduct nonintrusive vulnerability scans of their technology environments. There will be similar exercises conducted by them to validate the existence and maturity of cybersecurity controls. Answering a short form questionnaire is a thing of the past.
3, Expect automatic declines if key underwriting requirements are not in place. Insurers will be careful to not issue coverage to organizations that have do not have the appropriate plans, controls, and processes in place to mitigate cybersecurity risk.
4. Expect premiums to increase, significantly. The sharp increase of the average claim paid for cybersecurity insured has underwriters concerned about profitability. There will certainly be a more rigorous underwriting process adopted (as indicated above) but do not be surprised if that is also coupled with an abrupt increase in price.
The anticipated changes being made to the underwriting process associated with cybersecurity liability insurance will encourage organizations to be more diligent about mitigating cybersecurity risk. Gone are the days when organizations could purchase a policy and not allocate the proper resources (time, money, or human capital) required to build an effective cybersecurity program.
Perhaps this will finally force executives to address cybersecurity risk?
Need more information, help with forms or just to answer some cyber liability questions? Contact ISM at 406-443-8386