Q: What are the most important cyber insurance policy coverages for businesses?
- Notification and expense coverage
After customer data is compromised, there are state-regulated notification requirements an organization must follow. Cyber insurance companies help navigate and handle the notifications and expenses associated with them such as hiring a forensics expert to identify the cause of the breach, monitoring the affected individuals’ credit score, and paying costs to restore stolen identities.
- Business interruption
Remember when Kaseya, a US ransomware attack, led to Swedish supermarket chain, Coop, shutting down 800 stores? If Coop had business interruption coverage, it would help recoup (no pun intended) some or all the lost revenue.
In the event a group or individual decides to sue your business after a breach – for example, for negligence because you didn’t have the right security controls and procedures in place to stop sensitive data from being compromised — liability coverage would assist with legal expenses and/or settlement costs.
- Funds transfer fraud
The FBI estimates that since 2016, business email compromise (BEC) attacks have caused $43B in losses. If an unsuspecting employee falls victim to a BEC scam, funds transfer fraud covers helps cover losses.
If you find yourself being extorted after cybercriminals encrypt and potentially exfiltrate sensitive data, this coverage will help you attribute the threat actor, negotiate, and pay on the behalf of the business to regain access.
Q: How is the price of a cyber insurance policy calculated?
Cyber insurance policy premiums are calculated through a combination of objective and subjective factors.
The base price is typically determined by four objective factors:
- Type of business (financial, government, health care, etc.)
- Revenue of business
- Number of sensitive records the business is responsible for
- Location (some states and jurisdictions are more favorable toward victim awards, which can affect liability coverage and costs)
Next are the subjective factors: the underwriter can adjust prices depending on responses to their questions such as: does the business use multi-factor authentication (MFA)? Do they have a strong cyber incident response plan or partnership with a vendor? According to Logan, favourable answers can lead to discounts of up to 15%. But again, pricing will be primarily dependent on state regulations.
Q: Do tools like security rating services play a part in a company’s policy pricing?
Risk rating services, like Security Scorecard and Bitsight, are another subjective item that can influence an underwriter. For small and medium businesses (SMBs) especially, demonstrating a solid risk score can be seen as a positive by the insurance broker leading to further price reductions.
Q: What can businesses do to make themselves more attractive to carriers?
Before bringing out the dog and pony show, businesses need to have the basics outlined in the application: MFA, regularly tested offsite and onsite backups, a cyber incident response plan in place, etc.
Beyond these, carriers are looking for organizations that can demonstrate strong cybersecurity maturity. For example, a dedicated cybersecurity staff (depending on the business size) and/or a strong partnership with a cybersecurity company that provides additional services and products for continuous monitoring like EDR and XDR demonstrates cybersecurity maturity.
Q: How has cryptocurrency impacted ransomware policy coverage?
Cryptocurrency adds another layer of complexity during the ransom process, but it also shows the inherent value in having a cyber insurance policy.
Logan stated that whether a threat actor compromises sensitive data or shuts down your critical systems, there’s a 99% chance a ransom demand will be sent and 100% of the time it is asked to be paid in cryptocurrency.
Cybercriminals prefer cryptocurrency because it’s anonymous and hard to trace, but businesses don’t often have a couple hundred thousand dollars of Bitcoin sitting around. And even if you come up with the funds, you could be unknowingly breaking the law by sending money to an organization or individual on a restricted OFAC list. Your carrier can help you navigate the entire ransom process, from verifying the threat, negotiating the payout, and ensuring the FBI won’t be knocking at your door at the next day.
Q: What changes have you seen in the cyber insurance market during your decades of experience?
Logan remembers back in 2006, there were only three underwriting questions: How many records do you maintain? Have you had any claims? Do you have a backup system that you test periodically?
A few more questions were added throughout the years, but Logan noted the biggest changes occurred when COVID-19 hit.
The global pandemic led to an influx in remote workers, leaving systems more vulnerable. Simultaneously, threat actors became more sophisticated and focused on BEC and ransomware, leading to an uptick in claims. As a result, insurance brokers began to scrutinize which types of business would be eligible for coverage, applications became increasingly robust, and prices rose significantly even for existing customers looking to renew their policy.
Q: What are your predictions for the cyber insurance industry?
Logan expects to policy rates and coverage restrictions to increase for the next six months before stabilization will occur.
“When I say stabilization, that means we’ll see it flatten out. I don’t believe we’re going to see us go back to a time where prices were dropping drastically,” clarified Logan.
However, as more states restrict organizations from paying ransom demands, that could lead to cost savings as ransom coverage will no longer be needed.
Like auto or health insurance, cyber insurance is becoming a must-have to protect organizations from financial risk. Not only will coverage save you from drastic unplanned expenses, preparing to renew or obtain your policy will inherently force you to examine and potentially strengthen your cybersecurity maturity. To learn more about cyber insurance and cyber risk management, check out the following resources: