Cyber insurance policy prices are skyrocketing due to the increase in ransomware cases over the past year. With that higher price comes less coverage. Think about your car insurance policy where you have different limitations for the amount of coverage for damages to the vehicle and the amount of coverage for injury or death. The same concept applies to cyber insurance where carriers offer lower amounts of coverage for a phishing attack than they do for a brute force attack. In this case, the reduction primarily involves limitations associated with coverage caps and limits on ransomware.

More companies are applying for cyber insurance than there is funding. When demand exceeds availability, you get increased rates, and that’s happening universally.

Insurance carriers have concluded that it’s better to be prepared and have prevention measures in place than to experience a cyberattack. This includes minimal requirements, especially for things at high risk for a ransomware attack.

While Pondurance can help with digital forensics and incident response, we recommend preventive measures to address questions that cyber insurance carriers have added to their underwriting questionnaires. To be approved for cyber insurance, it’s best to know why companies are denied cyber insurance, how they can be better prepared for the application process, and what to do to prepare for the years to come.

Why are companies being turned away from cyber insurance?

Claims often exceed cyber insurance policy premiums, causing the market to tighten in several ways. These claims are primarily driven by ransomware. Many insurance carriers have lengthened the underwriting questionnaires to include robust questions about an organization’s maturity to protect itself against ransomware. One of the questions many carriers now ask is if the company has multifactor authentication (MFA) in place for remote access to the network and email and for privileged users. If the answer is no, some companies may not receive coverage.

Many insurance firms also limit the book of business they allow for cyber insurance divisions to write policies on. For some insurance groups, this means they will not have capacity to continue writing new policies in the next half of 2021. Reducing risk of claims, primarily driven by ransomware, means not renewing or taking on high-risk clients that don’t have protections in place. As a result, cyber insurance firms will decline many renewals and new policies to provide capacity for lower-risk clients.

What can companies do to be better candidates for cyber insurance?

Key considerations for carriers are your industry and your security readiness. Professional services organizations involved in providing operational IT or IT security infrastructure as a service for other firms, such as a managed service provider (MSP), find it difficult to get cyber insurance. It’s very difficult for a carrier to evaluate how much personally identifiable information, payment card industry information, and protected health information are within an MSP’s systems as they don’t know what data their clients have. Combine that with the fact that those organizations are a main target of cybercriminals and any breach may affect hundreds or thousands of clients and all their clients as well. So there’s an aggregation risk to a carrier’s book of business, without an easy way to correctly quantify and price for the risk.

Your company’s security readiness is also a consideration. Insurance carriers look to see if employees use MFA to log in to systems. They want to see a level of protection for the domain controller including remote desktop protocol access, use of service accounts, 24/7 monitoring, endpoint detection and response (EDR), and role and policy changes. Other minimums vary by cyber insurance carrier.

There are simple and cost-effective ways to reduce your cyber risk, including:

  • Enable MFA across your organization, specifically for remote access, email, and privileged users.
  • Have segregated backups. A 3-2-1 backup strategy is a good place to start, specifically including offline or cloud-based backups.
  • Add endpoint protection such as managed detection and response and EDR services.
  • Enable domain-based message authentication, reporting and conformance, and sender policy framework.
  • Use patch management and be able to check for and quickly patch software where needed.
  • Check for and manage open ports.
  • Train employees to identify phishing attempts and foster a culture of cybersecurity awareness.

What should you do to plan for the next year when going to renew? 

We recommend working with your broker in advance of applying or reapplying for a cyber policy. Your broker can help you understand what you need to do and what needs to be addressed in terms of your cybersecurity posture to make you a better candidate when applying. The broker wants to see clients get cyber insurance and will help to put you in the best position possible when going to apply.

How can we help?

Pondurance is partnering with insurance carriers to proactively work with their clients. We help by looking at questionnaires and providing recommendations to improve clients’ cybersecurity posture so they can be in a better position to renew their policies.

Doug Howard

Chief executive officer | PONDURANCE

Doug has over 30 years of experience as a technology leader and innovator in security with a highly developed background in business development, mergers and acquisitions, operations, engineering, marketing, sales, and executive leadership. In his previous role at RSA as Vice President of Global Services and IT Innovation, he provided leadership support for RSA’s strategic vision and global operational execution, various Dell governance programs, and the mergers and acquisitions exit from Dell to STG.

A former member of the U.S. Air Force, Doug holds a bachelor’s degree in management and marketing from Strayer University.

Brian Thornton Headshot

Brian Thornton

President | ProWriters

Prior to taking over at ProWriters Brian spent roughly two decades in the insurance industry in claims, underwriting, and leadership roles. Prior to taking the reins at ProWriters, he was the Southwest Regional Executive and Senior Vice President at Hiscox Inc.. He started their Los Angeles office to serve the southwest region for all products. Before that, Brian was the Mid-West Regional Executive and opened the Chicago office for Hiscox to serve Midwest brokers for all products. He also served as the Hiscox Technology E&O and Cyber Product Head for the United States. Prior to Hiscox, Brian was an underwriter at Chubb and an underwriter and claims adjuster at National Union (AIG.) While there, he focused on complex professional, management, and cyber liability risks.