While there are several threats to businesses across the world, the top two attacks we see involve ransomware, where attackers encrypt critical information and systems to force a ransom to be paid so firms can return to work, and business email compromise, where intruders get in between email communications regarding payments in order to redirect the payments.
Starting in 2022, after two years of upticks globally in ransomware attacks, many insureds were shocked at changes in their cyber liability coverage. In some instances, policies were canceled as carriers cut coverage to firms that did not have mature cybersecurity risk management programs or basic security controls implemented. In some cases, rates increased dramatically. In other cases, rates increased dramatically, and/or insureds saw changes to coverages, further reducing the value of the policy.
One thing most insureds had in common? They were surprised to learn of their insurance carrier’s insistence on required safeguard implementations. Travelers Insurance was among the first cyber carriers to require multi-factor authentication as well as other basic controls. Other carriers have followed suit and added requirements.
Because of these attacks and the cyber spillover from global conflict, our team is seeing an uptick in concern regarding the resiliency of their third-party vendors and suppliers. As firms tend to the risks in their supply chains, they are looking at cyber risk, including the increasing probability that key suppliers may be ransomed. This is pushing firms to start requiring vendors and suppliers to have cyber insurance and the appropriate coverage.
All in all, we expect demand for cyber insurance to increase, as well as prices and requirements for obtaining these policies.
In talking to our insurance broker and carrier friends, we believe the trend will continue where insurance carriers are mandating technical safeguards on their insured. Frankly, it feels like the insurance carriers have more concerns than most regulators. The reason behind this? Payouts! Insurance carriers are in this to make profits, not payments. The mandated changes come from the lessons learned during payouts in which successfully attacked firms were missing safeguards.
As you near your renewal time in 2023, here are some things to think about:
- Invest in the relationship with your broker and make sure they have access to a cyber liability risk specialist. Talk to them early about renewal to gain a sense of what your underwriting form will ask and what your carrier might require.
- Additional time allows you to implement new technology controls (if those are insisted upon) as well as implement operational programs like business continuity planning or third-party risk. While these items are not terribly difficult, they can be time-consuming. And, particularly with administrative controls, a policy or plan that says you do something you do not do, is riskier for you.
While differing from carrier to carrier, we are seeing a push for the following controls to be in place:
- Multi-factor Authentication (MFA), particularly on remote access, email systems, and users with privileged accounts. Every business email compromise attack we have investigated since 2020 has been on Microsoft 365, implemented with weak passwords with no MFA.
- Security awareness programs such as KnowBe4 will also be a part of the requirement.
- Additionally, cyber risk assessments, vulnerability assessments and penetration tests are oftentimes required by the carriers.
- Some underwriters are insistent on formal business continuity planning, disaster recovery plans and incident response plans. The carriers know that firms with plans to address potential bad things are more resilient.
- Third-party risk management (or vendor risk management) programs are also becoming a part of the insurance conversation. These programs outline a process where critical and high-risk vendors are vetted and, in some cases, monitored to manage the risks inherent in those relationships.
- Carriers are beginning to require tabletop testing of business continuity, incident response, and disaster recovery plans. They may also require tests that measure the time to recover from backup in the event of a successful ransom attack.
It’s difficult to pull off big changes in a limited amount of time. Discussing insurance coverages and completing the underwriting form should be a joint effort with the CFO and the CIO or IT manager. Also, consider having both your attorney and cybersecurity/IT strategy advisor involved in the process. We see many firms answer affirmatively on the underwriting form when in reality they don’t have that control in place.
Regular testing should be done to ensure that the controls in place work as expected. Schedule the testing far enough in advance of your insurance renewal to improve the environment before underwriting begins.
Who is empowering your growth? GBQ’s Information Technology Services team can help you with all of your cybersecurity concerns, including the increasingly difficult process of securing proper coverage at the right price.