Applying for Cyber Insurance: How To Get Accepted

Cyber insurance policy prices are skyrocketing due to the increase in ransomware cases over the past year. With that higher price comes less coverage. Think about your car insurance policy where you have different limitations for the amount of coverage for damages to the vehicle and the amount of coverage for injury or death. The same concept applies to cyber insurance where carriers offer lower amounts of coverage for a phishing attack than they do for a brute force attack. In this case, the reduction primarily involves limitations associated with coverage caps and limits on ransomware.

More companies are applying for cyber insurance than there is funding. When demand exceeds availability, you get increased rates, and that’s happening universally.

Insurance carriers have concluded that it’s better to be prepared and have prevention measures in place than to experience a cyberattack. This includes minimal requirements, especially for things at high risk for a ransomware attack.

While Pondurance can help with digital forensics and incident response, we recommend preventive measures to address questions that cyber insurance carriers have added to their underwriting questionnaires. To be approved for cyber insurance, it’s best to know why companies are denied cyber insurance, how they can be better prepared for the application process, and what to do to prepare for the years to come.

Why are companies being turned away from cyber insurance?

Claims often exceed cyber insurance policy premiums, causing the market to tighten in several ways. These claims are primarily driven by ransomware. Many insurance carriers have lengthened the underwriting questionnaires to include robust questions about an organization’s maturity to protect itself against ransomware. One of the questions many carriers now ask is if the company has multifactor authentication (MFA) in place for remote access to the network and email and for privileged users. If the answer is no, some companies may not receive coverage.

Many insurance firms also limit the book of business they allow for cyber insurance divisions to write policies on. For some insurance groups, this means they will not have capacity to continue writing new policies in the next half of 2021. Reducing risk of claims, primarily driven by ransomware, means not renewing or taking on high-risk clients that don’t have protections in place. As a result, cyber insurance firms will decline many renewals and new policies to provide capacity for lower-risk clients.

What can companies do to be better candidates for cyber insurance?

Key considerations for carriers are your industry and your security readiness. Professional services organizations involved in providing operational IT or IT security infrastructure as a service for other firms, such as a managed service provider (MSP), find it difficult to get cyber insurance. It’s very difficult for a carrier to evaluate how much personally identifiable information, payment card industry information, and protected health information are within an MSP’s systems as they don’t know what data their clients have. Combine that with the fact that those organizations are a main target of cybercriminals and any breach may affect hundreds or thousands of clients and all their clients as well. So there’s an aggregation risk to a carrier’s book of business, without an easy way to correctly quantify and price for the risk.

Your company’s security readiness is also a consideration. Insurance carriers look to see if employees use MFA to log in to systems. They want to see a level of protection for the domain controller including remote desktop protocol access, use of service accounts, 24/7 monitoring, endpoint detection and response (EDR), and role and policy changes. Other minimums vary by cyber insurance carrier.

There are simple and cost-effective ways to reduce your cyber risk, including:

• Enable MFA across your organization, specifically for remote access, email, and privileged users.
• Have segregated backups. A 3-2-1 backup strategy is a good place to start, specifically including offline or cloud-based backups.
• Add endpoint protection such as managed detection and response and EDR services.
• Enable domain-based message authentication, reporting and conformance, and sender policy framework.
• Use patch management and be able to check for and quickly patch software where needed.
• Check for and manage open ports.
• Train employees to identify phishing attempts and foster a culture of cybersecurity awareness.

What should you do to plan for the next year when going to renew? 

We recommend working with your broker in advance of applying or reapplying for a cyber policy. Your broker can help you understand what you need to do and what needs to be addressed in terms of your cybersecurity posture to make you a better candidate when applying. The broker wants to see clients get cyber insurance and will help to put you in the best position possible when going to apply.

How can we help?

Pondurance is partnering with insurance carriers to proactively work with their clients. We help by looking at questionnaires and providing recommendations to improve clients’ cybersecurity posture so they can be in a better position to renew their policies.