Trends Among Cyber Insurance Companies + A Cyber Insurance Checklist

A cyber insurance policy is a must for companies today, but not all policies are created equal. This is, in part, because it’s difficult to underwrite risk accurately. From the lack of data to the constantly evolving tactics of hackers, there are a lot of moving pieces.

Andres Franzetti, Co-Founder and CEO of Risk Cooperative, a national insurance brokerage, provided additional insight into the changing climate of cyber risk in our recent webinar. While cyber insurance coverage grew by 22% in 2019, loss ratios grew to 73% in 2020 — the highest they’d been in six years. To protect their pockets, many cyber insurance companies are both limiting coverage and exiting from non-profitable markets.

Cyber insurance companies are also increasing rates by up to 100%, all while paring down covered events. We’ll look at what you should know about the growing list of exclusions and what it means for your cyber protection.

What’s Not Covered in a Standard Cyber Insurance Policy?

Every cyber insurance policy will have its own terms, but common exclusions typically include the following:

• Third-party providers: Suppliers and vendors of any kind can create huge gaps for their clients. If there’s a data breach due to their protocols, any resulting ramifications to your business is unlikely to be covered by your insurance.
• Lost portable devices: Insurance companies will not take responsibility for lost or stolen portable electronics. (Some companies will modify this policy if these devices are encrypted.)
• War, invasion, or terrorism: Any damage from government-sponsored groups or ideological origins may be excluded from the policy.
• Security maintenance failures: The company must meet and maintain minimum security standards to have an insurance claim approved.

By definition, cyber issues overlap with a variety of insurance categories. While this may sound like coverage from different policies, the reality is that it creates gaps in any organization. A robust cyber policy can mitigate most potential loss scenarios.

How to Redefine Your Protection Plan with Cyber Insurance Companies

Decision-makers at cyber insurance companies are putting a high priority on setting security standards for every customer — so there’s no question about what role the client plays in protecting their data. While the debate rages on about exactly what that means for each company, it boils down to enforcing stronger security controls. 

Precautions like two-factor authorization (2FA) and encryption aren’t for conglomerates anymore; they’re for every business with a vested stake in continuing its operations. When underwriters see this technology in place before writing the cyber insurance policy, the policy is more likely to cover what the company needs it to cover.

Reducing Risk with a Cyber Insurance Policy

Cyber insurance plans go beyond financial risk transfer, so cyber policies can provide a range of proactive and risk mitigation services such as training, workshops, and more. Integration with Managed Security Services Providers (MSSPs) is another component.

Failing to take cyber security seriously — particularly when you factor in cyber insurance exclusions — is an open invitation to financial devastation. The best way for a company to respond is to be aware of their policy and what they can do to flesh out their own security standards.

Corresponding content:

• Download this Minimum Cybersecurity Checklist from Risk Cooperative to see where your organization currently stands.

Assessing Your Cyber Insurance Policy

The good news is the right MSSP can help a company assess their current program, implement more comprehensive security controls with managed infrastructure, and monitor and maintain the system from there. Managed cybersecurity allows companies of all sizes can adopt a more holistic plan, one that minimizes the odds they’ll ever need to file a claim with cyber insurance companies in the first place.

What are the Requirements for Cyber Insurance? Cyber Insurance Checklist

In this ever-evolving market of cyber insurance, carriers evaluate client risk when reviewing cyber coverage applications. As a first step toward insurability, our partner Risk Cooperative developed this checklist summarizing six key areas for cybersecurity and the minimum standards underwriters anticipate. While the criteria for optimal rates and coverage are in constant flux, meeting these standards has become more crucial than ever before to ensure adequate protection.

Data Security

• Are automated virus scans being performed on a regular basis?
• Do you have real-time network monitoring for possible intrusions or abnormalities?
• Is there a written information security policy in place, with annual employee training and certification?
• Do you use multi-factor authentication for remote access?
• Do you have an Acceptable Use Policy to communicate appropriate use of data to users?
• Do you conduct the following exercises to test security controls? Internal vulnerability scanning? External vulnerability scanning? Penetration testing?

Business Interruption & Data Recovery

• Do you have the following plans in place? Disaster Recovery Plan? Business Continuity Plan? Incident Response plan?
• Have these been tested within the past year?
• Do you have offsite (e.g. cloud) back-ups less than a month old?
• Are your backups kept separate from your network (‘offline’), or in a cloud service designed for this purpose?
• Have you tested the successful restoration and recovery of key server configurations and data from backups in the last 6 months?

Funds Transfer

• Does your team have some method of multi-factor authentication before transferring any funds?

Email Security

• Do you pre-screen e-mails for potentially malicious attachments and links?
• Do you provide a quarantine service to your users?
• Can your users access e-mail through a web app on a non-corporate device? If so, do you enforce Multi-Factor Authentication?

Third Party & Vendor Relationships

• Do your written contracts with third-party providers address care, use, and control of sensitive or confidential information?
• Do you have a formal assessment of the security risks associated with the new vendor?
• Do you have a contractual provision to indemnify your firm in the event of a security failure or loss on confidential information?

Corresponding Cyber Insurance Content

• Vendor Risk Management Explained: Plan for Action
• CEO Advice: How to Prevent Cyber Attacks & Prepare for the Future
• Improving Security with Multifactor Authentication
• Three Critical Types of Cybersecurity Visibility