Tuesday, March 22, 2022
Changing Cyber Insurance Market Calls for Enhanced Preparation
It is no secret the cyber insurance market continues to change, and obtaining such coverage is harder (and more expensive) than ever. However, with some additional risk reduction and preparation, organizations can better position themselves to purchase insurance, while also substantially reducing their cyber risks. As some organizations struggle to procure coverage, it is important to understand the forces causing these changes, and what is expected to happen going forward.
What is Happening and Why?
The short and overly simplified answer is that insurance carriers have had to pay out more money for claims. To reduce their own risks and exposure, carriers are now (1) increasing premiums, (2) reducing coverages, and (3) taking a more careful approach to the cyber risks they are willing to insure.
There is no shortage of reporting on increased cyber insurance premiums, with some relaying recent rises as high as 130%, and anecdotal evidence showing even more dramatic increases. Such pricing adjustments are not expected to subside any time soon, with others predicting continued large premium increases moving forward. These increases are not necessarily evenly felt across all industries, with some riskier sectors seeing higher premiums than others, and some being essentially priced out of the cyber insurance market. Self-insured retentions and deductibles are similarly rising, moving additional financial risk from the insurer to the insured.
Along with the increase in premiums, carriers are also reducing what coverage an insured receives in exchange for those dollars. Of note, many carriers have started to impose sublimits and co-insurance specifically applicable to ransomware claims. Some insureds have not paid close attention to these changes, leading to surprise when a claim is made.
To further reduce their own exposure, insurers are also asking for more information in the application process and can be extremely selective about what risks and organizations they will insure. A notable example, virtually every cyber insurer now requires multifactor authentication on an organization’s systems as a precondition to obtaining coverage.
None of these trends are expected to subside anytime soon. The risks in this area continue to increase, and threat actors continue to enhance their capabilities. With that, claim activity will likely continue to rise as well, and insurance carriers will continue to reduce their own risk and exposure.
What can we do about it?
Many organizations seeking to purchase or renew cyber insurance have seen the changes discussed above and are struggling to procure adequate, cost-effective cyber insurance coverage. The good news is that with some diligence and work, most organizations can procure a good policy at a relatively reasonable cost.
Proactive risk reduction is the key to positioning an organization to purchase cyber insurance. However, it can be difficult to know what areas to focus time and financial resources. There are often logistical and other challenges to implementing some controls. For example, most organizations are aware of the need for multifactor authentication, but operational issues associated with requiring employees to use a personal device to authenticate impede some organizations.
Unfortunately, there is no one simple checklist to obtain cyber insurance. Given the differences among industries and organizations, the best practice to remedy these and other issues is to retain cybersecurity counsel to conduct a comprehensive proactive cyber risk assessment. Counsel, sometimes with the assistance of attorney-retained technical vendors, will analyze the legal and technical risks and make recommendations on how to reduce those risks. Experienced counsel can also provide advice on where to allocate resources to get the best value and make suggestions to overcome operational constraints.
Finally, it is critically important to have someone carefully read your policy, either before purchasing or after it is placed, to ensure the organization recognizes potential gaps in coverage and their obligations under the policy. It is to the detriment of the organization to wait until making a claim to find out what is in the cyber insurance policy. These policies are typically very lengthy and complex, with several intricately related definitions, endorsements, exclusions, and sublimits. Experienced cybersecurity attorneys and specialized brokers can provide guidance to help avoid the pitfalls in these policies.