Many organizations have been surprised when they find that cyber insurance premiums have gone up and they now have less coverage. Some organizations are not able to renew their insurance pending proof of meeting the insurance company’s requirements that they have the controls needed to protect and defend themselves against cyberattacks. In another organization, a cyber insurance company denied their renewal because they could not clearly identify their cyber risk which the insurance company stated is reviewed periodically.
Organizations who have self-attested on their insurance applications to having appropriate controls are finding themselves in court post-incident by the insurer to rescind cyber insurance policies due to representations that were not accurate.
A few things seem apparent:
- Cyber-attacks have increased in number, complexity and severity impacting organizations’ operational, financial, and reputational risk.
- Once an incident has occurred, the controls organizations have in place becomes revealed.
- Cyber insurance will only be available if organizations implement appropriate cybersecurity controls.
With organizations continuing to pursue a digital agenda, moving to the cloud and adopting more internet-facing systems, it only increases their attack surface making them more susceptible to a cyber-attack. Many have heard the comment, “it’s not a matter of if but when” a cyber-attack occurs. This is because there is a high likelihood of a cyber-attack upon your organization with the potential for serious operational, financial, reputational, and legal risk exposure. The legal exposure is due to an increase in cyber regulation and enforcement across industries. As such, cyber is a risk that companies cannot ignore, and insurers will not budge unless organizations can address their risk with appropriate security controls.
Cyber insurance premiums rose between June 2020 and June 2021, spiking by 32%  which aligns with the increase in cyber activity since the pandemic. Cybercrime increased by 600% percent since the COVID-19 pandemic . In 2021 the publicly reported data breaches soared past the previous year’s total.  Phishing was the biggest culprit, with 36% of data breaches due, at least in part, to employee credentials stolen through a phishing attack,  96% of which occur through email.  Ransomware is also running rampant with ransomware attacks increasing by 80% year over year, and double extortion (where you do not get your data back) increased by 117%. 
The cyber insurance market is relatively new in terms of the significant increase in organizations that are required to have cyber insurance since the pandemic. Insurers are using recently available data from cyber-attacks to understand what this means for the underwriters. As such, the cyber insurance landscape continues to evolve.
Cyber insurance is a requirement to assist in risk mitigation post-event, therefore it’s important for businesses to understand the controls they must implement for cyber insurance to be affordable and available to them. Failure to implement will result in a denial of coverage. And, as mentioned previously, stating that you have controls in place when you do not will result in a denial of a claim if you have an incident.
Common controls requested by insurance companies (not exhaustive):
- Cyber Risk Assessment
- Multi-Factor Authentication
- Anti-Virus, Anti-Malware, and/or End Point Protection Software
- Critical Data Back Ups
- Stored Critical Data separate from network data and tested regularly for restoration.
- Patching of systems completed within 2 months
- Email scanning for malicious attachments and/links
- Incident Response Plan
- Encryption of servers and workstations (encryption of data at rest)
- Encryption of data in transit
It is important to be proactive when it comes to your cyber insurance renewal. Do not wait until your renewal to find out from your carrier what their requirements will be this year. Withum can assist you in understanding those requirements and with the implementation of those controls that will be required.