2021 saw challenges for financial directors in the UK regarding cyber insurance, premium price hikes and increased excesses, and challenges around the validity of claims. James Arthur explains why you may need to do more than just rely on insurance.
Car insurance providers expect policy-holders to have adequate security measures in place to protect their car, such as steering wheel locks. Policy-holders who can't prove they have these, and had them working at the time of the incident occurred, have their claims rejected. And their premiums go up. Is this what will happen to your business if you make a cyber insurance claim without evidence of any other protocols in place to prevent a cyber attack?
Historically, many financial directors have relied on cyber insurance as a safety blanket to protect them from the consequences of cyber attacks. It was a relatively cheap cover that was easy to get and required few pre-requisites or proof. Unfortunately, those days appear to be over and in a constantly evolving cyber insurance market, financial directors need to ask if this still is a cost-effective way to protect them?
Protecting your company from the cost of cyber incidents is like protecting a car from theft: successful claims generally depend on showing you had reasonable measures in place to prevent the attack.
The accelerated dependency on the internet catalysed by COVID-19 has fuelled an increase in all forms of cybercrime. The frequency has increased by 600%. The cost of global cyber-crime is set to be USD 10.5 trillion annually by 2025. Throughout 2021 we've seen companies struggle to find affordable cyber policies or even any cover. This trend is set to continue in 2022.
Insurance broker Marsh reports that premiums increased by 73% on average last year, and we think this is only set to rise. Is cyber insurance now too expensive for businesses to justify in addition to other investments in cyber mitigation measures?
Cyber insurance can help minimise business disruption, provide financial protection, and can even help with legal and regulatory actions after a cyber incident has occurred, but it won't solve the problems that made you vulnerable to the breach/attack in the first place.
Understanding how important your organisation’s data, systems, and devices are help finance directors calculate the level of cover you require, and if your current policy provides enough financial protection for your business. On top of knowing what a policy does cover, you also need to know what it excludes. Some policies do not cover all cyber incidents, and in 2022 we expect ransomware will be a common exclusion. This is one example of an increasingly common cyber incident not covered by standard insurance policies, leaving you left with a financial burden should you be a victim.
Understanding cyber insurance and whether this will be enough for your business is something that should be at the top of your agenda in 2022. It's just as important for a company looking to renew in the coming months, as it is for one taking out a policy for the first time.
There are several points you should be aware of to assess how appropriate a policy is for your organisation.
Accurate Technical Due Diligence
The vast majority of insurers and brokers now require much more detail around systems in use, what cyber defences (people, process and technology) are in place and how cyber risks are being monitored and managed on an ongoing basis. It can take a significant amount of effort to compile a sufficiently accurate response to these for the purposes of an application, especially as they are likely to be questioned if a claim is made against the policy.
To obtain cyber insurance, some providers are insisting that businesses’ have set cyber processes already in place to protect and mitigate against cyber breaches. Some of these minimum requirements include secure and remote-access systems, multi-factor authentication (MFA), which provides an additional layer of protection and a sign-in process, or endpoint detection and response (EDR) solutions, which help find suspicious activity on laptops and other devices to eliminate threats. It is always worth noting the ‘devil in the detail’ here. Even ‘factory default’ MFA from some providers needs additional configuration to ensure it cannot be easily bypassed. Understanding these minimum requirements will help you manage your cybersecurity commitments throughout the year.
Some providers are insisting on evidence of ongoing cyber risk reduction activities throughout the lifetime of the policy, for example undertaking regular staff training, technical vulnerability scans, monitoring system logs for indicators of attacks and open ports, and cloud configurations. Even the most advanced cyber security software can rapidly become out of date if not maintained, constantly monitoring and updating cyber security processes is something that should always be on your agenda and not just when it’s time to renew or start a policy.
Given the continued exponential rise in common types of attack, such as ransomware, we're expecting that insurers will exclude any costs associated with them in new policies/renewals in 2022, following in the footsteps of AXA who have already stopped covering this in some geographies. Understanding what is and isn’t covered in your policy will form a key part of your cyber protection strategy, allowing you to gain further insights and knowledge from relevant technical experts where required.
Increased policy excesses
We've seen policy excesses (ie, the initial costs that an insured company must cover) increase in both value and scope, understanding these is key to your RoI calculations when considering any insurance policies.
There's anecdotal evidence that some insurance firms are using ongoing external monitoring and cyber risk rating tools to monitor firms that they're underwriting, so that any changes to internet connected systems (eg, an insecure remote access port is opened or vulnerabilities are not quickly fixed) are noted throughout the policy. Any cyber incidents can be tracked back, allowing the insurance company to argue that the firm failed on their cyber protection duties.
Get your business ready for 2022
With cyber-attacks increasing across all industry sectors, understanding your current cyber and data security controls and potential vulnerabilities is key, whether or not you end up applying for cyber insurance. Many businesses are continuing to purchase cyber insurance, but more and more are redirecting the cost and effort of gathering the information required to long-term improvements in their cyber and data security positions through cyber mitigation investment – helping reduce the overall risk of an attack occurring in the first instance.
These long-term improvements include developing and implementing a cyber and data security improvement plan, introducing new technologies, awareness training and ways of working, and engaging a managed detection and response (MDR) service to monitor their networks. These measures can all help reduce the likelihood and severity of attacks before they can cause significant damage, identify preferred partners for incident response and recovery.
Cyber breaches can happen at any time, so it's important to seek advice at an early stage. Our cyber teams have significant experience with all stages of your cyber journey, from risk to provision of MDR coverage and cyber incident response services if the worst should happen.
For more information and guidance get in touch with James Arthur.