Have you experienced sticker shock with your cyber insurance renewal? Been unable to complete an insurer’s security questionnaire? Even been denied renewal of your policy?
All this is happening as insurers stagger under the weight of growing ransomware claims.
Ransomware attacks are soaring. Last year, reported ransomware attacks increased 400 percent, according to the Associated Press. This year, crooks are using so-called supply-chain attacks, such as the Kaseya and SolarWinds breaches, to spread their malware widely through software updates.
The increasing payouts – as well as rising forensic and mitigation costs – are undermining insurers’ viability, not to mention profitability.
“Some carriers are reevaluating their book of business and either not offering cyber coverage to certain classes of business – or getting completely out of the cyber coverage business,” said Joe Davis, Director of Cyber Liability at Houchens Insurance Group.
Major cyber insurer AXA decided in May to stop selling policies in France that reimburse customers for ransom payments.
The FBI and cybersecurity experts recommend against paying ransoms – because of the problems being seen now: Exploding ransom demands, even criminals looking for victims with cyber insurance coverage.
However, so far, insurers face no ban on paying ransoms – or reimbursing for them – even though calls for regulation are growing. Instead, the insurance market seems to be balancing its costs on the backs of specific organizations.
For example, municipalities, education, and healthcare are facing price increases and stronger security requirements to obtain cyber coverage from insurance carriers, Davis said. All three have been repeatedly attacked – and paid ransoms – in 2019, 2020, and this year.
Unless a new technology or service arrives to halt malware attacks, Davis says cyber insurance will continue to be challenging to get.
“Prices will continue to rise. Even now, we’re seeing 40-60 percent increases on renewals and new business,” Davis said.
Insurers are now scrutinizing customers’ cybersecurity postures, too. In many cases, they are requiring specific security measures to be in place before providing a quote.
For example, if you don’t have multifactor authentication across your networks and email systems, you can’t get coverage.
“It’s like trying to insure a piece of property without the roof on it,” Davis said. “That’s how they’re looking at multifactor authentication.”
In addition, insurers want to know if customers are encrypting backups, using offsite backups, and have Incident Response Plans, to name a few measures.
“They’ll come back with a list – is this, this, and this being done, “ Davis said. “If not, what are you doing to implement these measures, and what is the timeframe?
“It’s tough for clients to hear ‘we’re not going to be able to get this done until you take these steps,’ “ Davis said.
Finally, if you’re relying on a cyber insurance rider to your general liability policy, you probably don’t have the coverage you need, Davis said. Different insurance companies offered different benefits in their riders – and many did not cover much in case of an attack.
The best step to take is to consult with a cyber insurance expert knowledgeable on current security practices and attack trends, Davis said. Such experts can help organizations truly assess and understand their cyber risks to make informed decisions.
In the current environment, cybersecurity experts say it’s “when you’re attacked, not if.” The correct balance of security measures and cyber insurance coverage can stand between you – and bankruptcy.
Contact us today for a review of your cybersecurity situation.