For many businesses, obtaining or renewing cyber insurance has become expensive and difficult.
The cost of cyber insurance has skyrocketed in the past year amid a rise in ransomware hacks and other cyberattacks. With this in mind, insurers are taking a hard line before renewing or offering new or additional coverage. They’re asking for more information about companies’ cyber policies and procedures, and businesses that don’t meet this high level of scrutiny could face higher costs, less support or even rejection, industry experts said.
“Investigation has grown exponentially in the last 18 months,” said Judith Selby, a partner in the New York office of Kennedys Law LLP.
In the second quarter, US cyber insurance premiums rose 79% from a year earlier, after doubling in the previous two quarters, according to the Global Insurance Market Index from services firm Marsh & McLennan Cos.
Cyber-related direct written premiums collected by major U.S. insurance companies — the amount insurers pay to customers, excluding premiums earned from acting as reinsurers — rose to $3.15 billion last year, up 92% from 2020, according to the filing. to the National Association of Insurance Commissioners, industry regulators, and is made up of accounting firms. Analysts say the increase was mainly due to higher rates, as opposed to insurers increasing their coverage limits.
Insurance companies are closely monitored for internal cyber systems. That’s a contrast to years past, when carriers poured into the cyber market and competition produced very few records, Selby said.
Now, insurers looking to reduce their risk are putting business security leaders on a long list of questions about how they protect their companies, said Chris Castaldo, chief information officer at Crossbeam Inc., a Philadelphia-based technology firm that helps companies find new business. customer relations.
“Before the questions started, you just gave them the money you wanted and the sales you had, and that was it,” Mr. Castaldo said, referring to the partnership with cyber insurers.
Discover Financial Services has a third party that verifies the robustness of its cybersecurity program, which helps with insurance, said CISO Shaun Khalfan. “Insurers want to have confidence that you’re making the right investments and building and maintaining a strong cybersecurity program,” Khalfan said.
Some of the questions insurers ask – and the amount of detail required – can depend on the carrier, the size and type of business seeking coverage and the scope of their claims.
About 18 months ago, underwriters asked companies if they needed more authentication when regulators got to their systems, said Tom Reagan, chief technology officer at financial services and analysts Marsh McLennan. Today there is an expectation that multi-factor authentication will be used throughout the organization, not just by administrators, he said.
Insurers also expect agencies to plan and test online activities, such as exercising on tablets, Mr. Reagan said: “They don’t just like your smoke alarms, they want to hear about the fire.”
Carriers want to know what kind of backup plans companies have in place in the event of a ransomware attack and how those plans are tested. Insurers also take a closer look at whether a company’s network is compromised to reduce the spread of malware, Mr. Selby said. Other important measures that insurers are looking at, he said, include end-to-end security, or monitoring and protecting devices against cyber threats, and incident response.
Some companies will need to work with more carriers than in the past to get the coverage they need because no single insurer wants to carry that much risk, Mr. Selby said.
Amidst the changing landscape, Reagan recommended that companies begin reassessing their cyber insurance needs six months before the policy comes back. Starting early to identify potential holes allows businesses to improve their cyber security, if necessary, and gather information that carriers want, he said.
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8