Cyber insurance requirements have changed dramatically in the past 12 months. Insurance underwriters are now requiring more and more security solutions, monitoring, and oversight of your organization’s data and systems. Why? The enormous amount of payouts that insurance companies have made; many which could have been avoided if better security systems were put in place.
Disclaimer: The information provided in this article is intended as a summary of our own findings and anecdotal examples. This information is not provided as advise, guidance, or practice. Consult your insurance broker and attorney for specific guidance for your organization.
Cyber liability insurance has been around for some time often referred to other forms of insurance 10 or 20 years ago. But a lot has changed including since then with the frequency, sophistication, and sheer breadth of attacks being performed. No person or organization is immune to the threat.
One statistic has put the total revenue on insurance premiums at $10 billion dollars. That may not seem like much for the insurance industry compared to home or auto, but it is a large amount. And that number will grow exponentially over the next 5 years. If we look at the cost of insurance since 2017-2017, the cost of premiums has tripled. And 2022 and 2023 are expected to see at least double digit growth.
Will Improving Our Security Lower Our Premium?
Not likely. Even after implementing all recommended security solutions and practices including conducting vulnerability assessments, we still saw our premium double. That may be shocking, but the IT industry has seen increases as high as 1000% year over year. We were able to get avoid a huge risk.
Depending on the risk profile of your organization, you may have greater exposure to a large increase, or in some cases, losing your coverage all together. The changes are driven by large losses on these insurance plans. The insurance industry expects to have a loss ratio of about 42% or less. In 2020, that number was 62%. Not surprising, the rates went up by 29% on average. And the rates went up again in 2021. And that trend will continue until the loss ratio comes back down. Still this loss ratio will remain an issue until the risk factor drops across the board.
And some industries will be at greater risk than others. IT, SaaS, and related service providers are under significant scrutiny. Its one of the reasons why we started planning to move to a cloud only offering starting back in 2019. Our plans will culminate in being 100% Microsoft Azure and AWS hosting and service oriented. Others in the industry are finding cyber insurance cost prohibitive.
What are Cyber insurance requirements?
The overall coverage of cybersecurity requirements is too extensive for just one blog. And frankly, for most readers the content is so overly technical it may indirectly act as a deterrent to do something about it for your organization. First, it’s important to know that the cyber insurance companies aren’t making these requirements up. Like the government, they are following standards and frameworks that already exist like CIS controls, NIST, and the ISO 27000 series standards. Most of the requirements are summarized in the CIS Controls.
Let’s look at the five over arching components of these requirements:
Malware Protection: You’ll need the latest technology for
Managed Detection and Response: Unlike traditional software that you install and let it do its scanning and monitoring. This requirement is about live, 24×7 detection of threats and having an ability to receive a response to the threat. Not just a notification.
Identity Management: Managing logins, passwords, and securing the accounts are a big part of tightening security. That includes multi factor authentication and regular changes to account security.
Awareness Training and Testing: Few know that your people represent the largest share of risk to your organization. 30% of threats are allowed because of human error by staff. That’s a big problem.
Auditing and Oversight: Probably the most overlooked is the assignment of someone to review reports and settings at least very 90 days and having regular vulnerability assessments.
The later of these shouldn’t not be exclusively outsourced to a third party. Like managing finances, some portion of these security requirements should have an internal person that holds your vendors and staff accountability.
You may be asking yourself, is all this trouble worth it just to get cyber liability insurance. Well, maybe not, but the lost to your operation can be much larger than you expect.
The insurance industry and other research firms put the 2021 average loss per incident at $3.8m. Well that may not be most small organizations, but it should get your attention. Not that your individual payout will be this large, but that the risk to your business operations will be significant.
In one incident for a third party organization, they had more than two weeks of downtime without their data. And they spent over $175,000 in fees to recover. The most difficult part was that they lost weeks of billable revenue. After 3 months, they were still not to the same level or productivity prior to the incident. Think about your staff not able to execute on projects or respond to customers to meet deadlines for weeks on end.
To say that would be embarrassing doesn’t sum it up. The stress of an event could cause burnout, turnover, forced process changes on people, customer loss. To summarize, a BIG headache.
When considering what to do, just remember to protect you and your people. The work you do is just too important.