Cyber insurance: 5 tips to ensure you are ready

It is no secret cyber insurance premiums have gone up this year and are set for a further rise in 2022. Alongside this, cyber insurance underwriters are increasing the amount of due diligence they do before approving any policy. This article is designed to help you to avoid being hit with higher-than-average insurance premium increases. Before we get into our five recommendations, let’s take a look at the state of the cyber insurance market today.

Cyber insurance payouts rocketed during 2020

Cyber insurance providers are seeing a substantial increase in the average paid loss to policy holders following a cyber incident. According to a May 2021 report by Fitch Ratings, the average paid loss increased from $145,000 in 2019 to $358,000 in 2020. That’s a huge 247% increase.

Successful widespread ransomware attacks are a large driving force behind these substantial paid losses. None of this comes as a surprise to those monitoring cyber security news. The news now regularly includes cyber-attack stories such as the Colonial Pipeline ransomware attack or Kaseya supply chain attack that eventually led to up to 1500 different companies impacted with ransomware.  

Premiums are increasing as a result

As a result of higher paid losses cyber insurance providers are issuing new policies and renewals with higher premiums. Simply put, the cyber insurance market was underpriced and is now catching up to the actual risk. However, higher premiums are only part of the story. Cyber insurance underwriters are making a greater effort to conduct due diligence when pricing premiums. In some cases they might even decide that the organization is uninsurable. At SHI we work with our customers to understand what insurers are asking them for when buying or renewing cyber policies.

Our top 5 tips to improve cyber insurance readiness

Here are some of the due diligence requirements we’re hearing about, and some advice on how to make sure you are ready.  

1. Do your due diligence

Due diligence is no longer just a short questionnaire. Most cyber polices and renewals historically relied on a relatively un-intrusive questionnaire. But all that is undergoing massive change. Now cyber insurance providers use tools to run external vulnerability and security risk evaluations of your environment.  

Are you ready? External vulnerability scanning and quality penetration testing goes a long way towards finding vulnerabilities and remediating them before the insurance provider does. It may also be helpful to find a partner that can provide visibility and help you reduce your attack surface.  

2. Patch, patch and patch! 

A common question that underwriters will ask is whether you are updating software and hardware. They will also check that your organization is not using end of life or unsupported versions of software or hardware. 

Are you ready? Having an inventory of software and hardware assets is an important first step. Once an inventory is established, using a patch management solution will automate most operating system, firmware, and software updates. This reduces the time and resources needed to fulfill this control.  

3. Use MFA for everything

Multi-Factor Authentication (MFA) is a core security capability and is widely accepted as a security “must have” today. Insurance underwriters know this and will confirm you’re using MFA.  

Are you ready? All remote or elevated access to networks and systems or access to sensitive data should require MFA. Most SaaS apps and VPN solutions provide the option to set up MFA for their service, but this can lead to many disparate MFA solutions that employees must maintain. Instead, a dedicated MFA and Identity and Access Management (IAM) solution can streamline access across all apps and services while ensuring security controls remain in place.  

4. Have an incident response plan

And practice it. A common control insurance providers will look for is a mature and practiced cyber incident response plan.  

Are you ready? Make sure your organization has an updated cyber incident response plan. The plan should be comprehensive, identify key team members and decision makers, and include communications strategies, notification requirements, and incident response vendor contacts. Most importantly, the plan should be practiced often and regularly reviewed and updated.  

5. Defense in depth is key 

The cyber insurers know there isn’t a magic security bullet. After all, they are fighting the same security battles as most of their policyholders. In fact, in March of this year cyber insurance provider, CNA Financial Group, paid the largest disclosed ransom ever when their own systems were targeted. Underwriters know there are many security technologies and controls that make up a mature security defense. 

Are you ready? Security posture reviews, tool optimization assessments and risk assessments are all effective methods of making sure your organization has the right technology and that it is optimized. Consider working with an outside party to review your defense in depth posture to ensure it is effective.  

Start now – It’s only going to get more difficult

If the steps above sound like hard work, that’s because they can be. And this is just the start. Cyber insurance is going to become more complex and costly in future. By taking these steps – either in-house or with help from specialists like the ITAM and Cybersecurity experts at SHI – you can get ahead of the game and your longer-term plan will be easier to execute.

We expect an increasingly stringent focus by insurers on email security, data loss prevention, encryption, security awareness, policies and governance, and risk management processes. The good news is that, by focusing on these five suggestions, it will be easier to prove effective controls, now and in the future.

If you have the skills to tackle the five steps above, you can start today. If not, help is at hand! Speak to one of our specialists today and we’ll show how SHI can help with any or all of the five steps critical to minimizing the cost of your Cyber Insurance in 2022.