Securing Cyber Insurance Starts with Risk Mitigation

October 25, 2021

BY Brad Barron, Ed Cooney, Laura Kerns

Cybersecurity risks, namely from ransomware attacks, have risen to heights companies and public entities can no longer afford to ignore.

The COVID-19 pandemic has ushered in a surge of ransomware attacks, a type of cyber attack where companies are locked out of their data management systems and charged massive fees by cybercriminals to unlock them. In 2020 alone, roughly $350 million in ransom was paid to cybercriminals – a more than 300% increase from 2019, according to the Department of Homeland Security.  Other sources put the worldwide ransom payments for 2020 in the billions of dollars. Furthermore, the weekly average number of ransomware attacks increased nearly 1,000% in June 2021 from the previous year.

It can be hard for companies, particularly smaller businesses that do not perceive these attacks as a real threat to them, to rationalize spending money on cybersecurity risk management. But ransomware attacks are happening to businesses of all sizes and in every industry. Municipalities, public entities and health care systems also face a growing risk. Implementing a risk management framework has become essential for these organizations.

Many companies and public entities are now scrambling to secure cybersecurity insurance coverage to better protect themselves. Cyber insurance has been on the market for decades, but only in the last five years has the demand for this coverage risen to match the severity of today’s risk environment. In today’s hardened marketplace, it’s become increasingly difficult to secure cyber coverage.

Less Coverage and Fewer Renewals

The recent spike in cyberattacks, including ransomware, data breaches and other network issues, and the associated losses have driven increases to cyber insurance premiums as well as rates and retentions. The average premium increased 25.5% between April and June 2021 alone, according to a Q2 2021 survey from the Council of Insurance Agents & Brokers (CIAB).

Carriers across sectors have decided to reduce cyber insurance offerings and even remove cyber coverage from commercial property and casualty policies due to rising claims. Many insurers have also increased premiums or self-insured retentions (SIR) to levels that hinder companies from obtaining or renewing insurance and keep many from reporting claims.

Cyber underwriters are also tightening their conditions and are now asking many more questions before agreeing to take on liability. Most notably, underwriters are evaluating in more detail the risk mitigation strategies companies have in place to prevent cyberattacks and reduce losses. Without meeting these conditions, companies will be hard pressed to find a carrier.

Top 4 Risk Mitigation Strategies Insurers Require

For businesses and public entities looking to protect themselves with cybersecurity insurance, there are four key security measures every carrier is making sure are in place before providing coverage. Organizations seeking coverage – or even those looking to further safeguard their data – should implement these precautions immediately.

1. Off-network data backups: All data should be backed-up off-site through either an off-site server or cloud service. Data stored off-site stays secure in the event of a cyber attack and can be used to restore systems.
2. Multi-factor authentication (MFA): MFA reduces security risks by requiring multiple methods of authentication to log-in to company sites or networks. Many businesses already use two-factor authentication but in today’s cybercrime landscape, it’s imperative that all organizations move to MFA to create a deeper defense against unauthorized users.
3. Employee training and testing: According to FBI data, phishing / vishing / smishing / pharming attacks nearly doubled in 2020 from 2019. Organizations must invest in educating employees regularly on how to identify security risks – like fraudulent emails, texts, phone calls and websites – and how to report them in a timely manner.
4. Endpoint detection and response (EDR): EDR is an integrated security solution that continuously monitors and collects data from network endpoints like laptops, tablets and mobile devices to indicate threats and has automated response and analysis capabilities. While this is still emerging technology, organizations should begin investing in EDR today as endpoint attacks are gaining prevalence.

While these are the top requirements for most insurers, there are other risk mitigation strategies companies should also strongly consider implementing, including securing patching practices, use of Virtual Private Networks (VPNs) for remote access, password strength management and integrity, access privilege controls and segregation, encrypted PII (personally identifiable information) and PHI (protected health information) files, incident response plan and practice.

Risks and Tactics Are Constantly Evolving

The cybercrime environment is always changing as attackers learn and find new ways to infiltrate systems. Companies must stay on top of security and risk mitigation to ensure they’re protected from the latest risks and tactics. Without taking these first steps and investing in security, it will be even more difficult to secure cyber insurance, and companies will be left vulnerable to damaging attacks.

Conner Strong & Buckelew has years of experience in cyber risk and insurance, helping clients properly protect their networks and address cyber threats. Our team of cyber experts can help you navigate the ever-changing cyber insurance market, secure coverage and implement security standards and technologies to keep your business safe. Our claims team also provides white glove service when a cyber incident occurs to ensure you maximize your coverage and receive prompt remedial assistance.