Webinar Recap: Is Your Business a Good Candidate for Cyber Insurance?
Interest in cyber insurance is growing, and for good reason.
As businesses have had to act quickly to adapt to changes brought on by the global pandemic, opportunistic cybercriminals have followed suit. It is no surprise then that ransomware – the criminal act of holding software or data for ransom – is sharply on the rise year over year – a trend that’s showing no sign of slowing through 2022.
With the occurrence and impact of attacks increasing, businesses are starting to wonder whether it’s less of a question of if they will get targeted but when.
The growing awareness of cyber threats has meant a corresponding increase in demand for coverage and a significant shift in the cyber liability insurance conversation. Specifically, businesses are investing in cyber hygiene to qualify for coverage instead of as an attempt to lower their premiums.
To address the most pressing questions about cyber insurance, we talked with four experts from cyber insurance companies to help business owners understand the benefits of cyber insurance, cyber insurance policy coverage, and the role of excellent cyber hygiene.
Here’s a recap of the conversation moderated by Patricia Harman, editor-in-chief of the Property Casualty 360 Group, with:
Theresa Le, Head of Claims and Risk Engineering at Cowbell Cyber,
Andrew Lipton, VP, Head of Cyber Claims at AmTrust Financial Services, and
Shiraz Saeed, VP, Cyber Risk Product Leader at Arch Insurance Group.
Cyber insurance coverage protects your business from the financial impact of a cyber attack
A single claim event can have potentially devastating consequences for businesses. In our last conversation about cybercrime insurance, we discussed how fallout could drive organizations out of business.
Increasingly aware of this possibility, many businesses’ interest in cyber insurance comes from a place of fear. And that’s not necessarily a bad thing. “We like to scare folks,” Lipton said (partly) in jest.
If business owners and operators are afraid, it’s because they’re paying attention. That awareness puts businesses in a much better position to protect themselves and avoid the pitfall of thinking of cyber insurance after it’s “too late” – once they have already been the victim of an attack.
Another reason, as highlighted by Le, is that “now, more than ever, cyber insurance is becoming a requirement under contractual obligations” in the context of partnership or customer agreements, for example.
But satisfying a requirement and compensating financial damages after the fact only scratches the surface of what many cyber insurers are offering their clients.
For one, as Saeed said, “... what’s unique about cyber insurance is the incidence response part of it.” In other words, cyber insurance coverage goes beyond a claim payout and includes a multi-faceted response plan.
Depending on the nature of the incident, you might need help from a lawyer or cybersecurity firm to negotiate and pay a ransom or recover your lost data.
If sensitive data is released, that could call for an entire suite of services, such as:
a public relations firm,
identity monitoring services, and
a call center to notify affected individuals.
Cyber insurance coverage can even support legal fallout, including a defense budget for a class-action lawsuit and preparation for a regulatory proceeding. It’s not surprising, then, that Saeed states there may be up to twelve insurance agreements on a single cyber insurance policy.
Overall, think of the benefits of cyber insurance for businesses as being holistic protection from the risk and impact of cyber insecurity.
Cyber insurers help businesses to prevent attacks and minimize their impact when they happen
For cyber insurers, prevention is the cure.
As you can tell, cyber insurance proceeds are often complex and costly. That means businesses investing in cybersecurity and their insurers share a common goal: to minimize the negative impact of a potential attack with preparation before and support during the event.
Sometimes it’s very easy to think of cyber insurance ... as being similar or akin to a property insurer or something like that. Cyber insurance is unique in that ... we are actively involved in mitigating the severity of a claim every single time.
- Andrew Lipton
VP, Head of Cyber Claims, AmTrust Financial
And cyber insurers are uniquely positioned to do so. With property insurance, Lipton explains, your insurer can’t lessen the impact of an active hurricane on your home while it’s happening. What’s more, they’re unlikely to show up at your door during a hurricane warning, ready to nail plywood to your door frames and install impact-resistant shutters.
But helping to mitigate damage is precisely what an effective cyber insurer will do, minus the shutters. All panelists agree: cyber insurance is about a partnership and not merely “tick[ing] boxes,” confirms Le.
How to qualify for cyber insurance in 2022
The anatomy of risk assessment is twofold. First, insurers want to know the likelihood that an event will occur. Next, they want to know how much damage it will cause. For cyber insurance, Saeed explains, because it is near impossible to predict likelihood, insurers assume an event will happen. So for cyber risk assessment, more attention is paid to the potential amount of damage.
Ultimately, the damage or severity of impact depends on the business class.
Direct-to-consumer businesses handling private and personal information, for example, belong to a high-risk and impact category. In contrast, B2B companies with no personal data storage are slightly less vulnerable
In any case, when it comes to qualifying, all three panelists agree that the process involves a combination of risk assessment or scanning accompanied by a questionnaire. The ultimate goal is to assess vulnerability.
What this looks like will depend significantly on the size and nature of the business. According to Le, insurers make decisions like these on an (almost) “policyholder by policyholder” basis. Saeed added that “You could get upwards of 125-plus unique questions being asked, depending on the size of your organization and the type of business that you’re doing.”
But qualifying is far from a passive process. Agreements between insurers and the insured come down to cyber insurance risk management. And businesses can reduce their vulnerability and risk through a few proven ways.
Cybersecurity hygiene is a significant factor. According to our panelists, businesses should strive to implement secure behavior, protocols, and tools.
Implementing secure behavior means addressing “the human factor,” as Lipton calls it. For example, training employees on how to identify phishing emails, understanding the risks around attachments and links, and providing general education on practicing good cybersecurity hygiene.
Security protocols and governance involve having the proper procedures in place and appointing educated staff members to create and implement them. Saeed provided several examples, including having:
viable and tested data backups
a (tested) incident-response plan
third-party vendor controls and partnership due diligence
Finally, implementing cybersecurity tools can make compliance to best-practice protocols simple and scalable for any organization. Saeed and Le both spoke about the challenges of access management and the importance of multi-factor authentication: issues that a password manager can address.
One thing is clear – whether your team has access to the right tools to make security compliance clear and easy could be the cybersecurity make-or-break factor for your business.
It makes sense to do all that you can in preparation for your application, but our experts emphasized that the process isn’t cut and dry or “one and done.” Instead, as Lipton, who deals primarily with cyber insurance for small businesses, stated: achieving insurability can be a collaborative process.
Renewing your cybersecurity insurance
Business owners and operators might worry that having suffered an incident or attack will mean that they are less likely to qualify for cyber insurance or to have their policies renewed.
However, as indicated by our panel, this is not necessarily the case.
According to Lipton, having suffered from an incident could even be an asset. While this is less apparent with the growing awareness of threats to cybersecurity, the challenge to convince businesses of both the importance of cybersecurity and the likelihood of an attack is still there for insurers.
Because “past is prologue,” according to Lipton, the insured or prospective clients who have already experienced an issue with their cybersecurity are much more likely to understand the potential threats facing their business. And this understanding is the first step in building up robust protections against future offenses.
What matters most, all three experts agree, is how the business responded to the attack.
In the best-case scenario, an adequate level of preparedness will have safeguarded the business and softened the impact of the attack in the first place. But even if the vulnerability or attack was the result of an oversight or mistake, recovery measures are essential for insurers making risk assessments.
I think it does need to be looked at on an individual basis, almost, because no two claims are the same and so we’ve seen very good cybersecurity protocols in place [but] there’s no iron clad system. So we acknowledge that things can still happen even if you had everything you needed that we’ve recommended. ... Was it a one-off? Why did this happen, what did the insured learn from it? If there were vulnerabilities, exposures there, did they get them taken care of?
- Theresa Le
Head of Claims and Risk Engineering, Cowbell Cyber
Saeed added that a common issue is making post-incident repairs in haste. When, crucially, an adequate response must involve addressing the specific vulnerabilities that were exploited during the previous attack: if financial losses from a ransomware attack were compounded because of the absence of data backups, securing those backups after the fact should be a top priority.
Taking the proper steps to close the loop on known vulnerabilities will satisfy insurers that the attack has proved to be an asset rather than a liability while considering a renewal application.
Where to start: the low-hanging fruit of improving cyber hygiene
The demands of cybersecurity can be overwhelming. However, it can be easy to get started down the path to making your business less vulnerable, more secure, and finally, more insurable.
The right security tools stand to make adhering to best practices for cybersecurity near effortless, offering simple, scalable solutions that involve low investment and a high return.
Weak passwords are among the top causes of data breaches for businesses, making password management (or lack of) important for insurers in assessing vulnerability. Poor password hygiene can mean members of your organization are essentially giving away access to private information, saving bad actors the trouble of hacking.
According to our research, password hygiene is a universal problem for businesses. Fortune 500 companies, for example, are no better with password protection. A staggering 20% of passwords are the company name or a close variation. Worse, “password” is still the most common password used across all industries.
The reason isn’t carelessness and probably not lack of awareness either, meaning having stricter protocols around password creation is not likely to help. Simple passwords can be remembered quickly and save time. As it is, users already spend seven to twelve hours a year remembering and resetting their passwords – a number they are not likely to want to increase, especially during work hours.
And unfortunately, “If you can remember your password, it’s not strong enough,” says NordPass’ Head of Product, Gediminas Brencius. So asking employees to use unique, secure passwords is an impossible task likely to result in stress without a meaningful result for your business.
Implementing a password manager solves this problem, allowing you to set safety protocols around password requirements, verify that they are being adhered to, and most importantly, make the process stress-free and straightforward for your employees.
Password managers can also help implement MFA, or Multi-Factor Authentication. MFA requires that users submit additional proof of identity (beyond their password) to access systems, software, or email, a practice that is already widely considered a mandatory requirement for cybersecurity insurance.
Lipton understands that his clients are often hesitant to navigate through security suite software to find the right fit. In that case, Saeed offers a suggestion:
If you’re lacking password management, multi-factor authentication, or in general, identity access management tools and we require that as one of the requirements, well what do [you] do, who should [you] call? Well you can call NordPass…
- Shiraz Saeed,
VP, Cyber Risk Product Leader, Arch Insurance Group
A business VPN, or virtual private network, can mitigate vulnerability – by controlling access to data and resources. It works by allowing remote workers to connect to a business’ network through a secure, private portal instead of the public internet.
As remote is more commonplace than ever in 2022, businesses can expect cybersecurity insurers to pay close attention to vulnerabilities concerning a work-from-home environment.
A secure cloud
Like the other cybersecurity tools discussed, a secure cloud environment offers protected access to private data, making it simple to retrieve for authorized users but outside the reach of prying eyes and potential bad actors.
Secure cloud software is the first line of defense against ransomware by locking access to your files and generating an automatic, safe backup, which was a hot topic during our first panel discussion on cyber security insurance.
With the rise in cyber attacks on businesses and the increase in vulnerability with the prevalence of remote working, the importance of cybersecurity insurance cannot be overstated. What was once considered a nice-to-have resource is quickly becoming a necessity.
It’s not all bad: a healthy fear of cyber insecurity can be a good thing, allowing businesses to equip themselves with robust protections that will (ideally) prevent attacks or at least very much reduce the impact of an incident when it happens.
More good news: cyber insurers can act as partners in your cybersecurity journey and help you understand where your most significant vulnerabilities are and how to reduce or eliminate them.
The even better news is that you don’t have to wait on a cyber insurance agreement to enhance your business's security and insurability. Implementing cybersecurity tools can help you to solve the most common “human problems” and enforce security protocols effectively and at scale, starting now.
To listen to the conversation in its entirety, check out the full recording of the webinar.