Cyberattacks continue to threaten organizations in frequency, severity, and cost. In the past year, as much as 66% of all organizations were hit by ransomware, compared with 37% in the preceding year, according to Sophos’ report The State of Ransomware 2023. The rise in threats has spiked the demand for cyber insurance and raised the amount of monthly premiums. Cyber insurance premiums have increased every quarter over the last several years, according to the Global Insurance Market Index, though this year’s second-quarter increase was only a moderate rise. Unfortunately, the rise in threats also has decreased the number of companies that will qualify for a cyber insurance policy.
But there are actions your organization can take to improve its qualifications for cyber insurance. First and foremost, your organization can plan ahead and recognize what cyber insurance providers are looking for. Your organization needs to know the threats to your business, prepare ahead of time for the application process, understand what is covered in a cyber insurance policy, and partner with cybersecurity experts to proactively protect your organization from threats.
Know the Threats
Every day, bad actors plot new ways to exploit the networks of U.S. and global organizations. Ransomware is the primary threat concern from bad actors, particularly in the healthcare, government facilities, and critical manufacturing industries. The average ransom payment nearly doubled from $812,380 in 2022 to over $1.54 million in 2023, according to the Sophos report. The report also found that it cost an average of $1.82 million to recover from a ransomware attack, and that’s excluding the hefty ransom payments. The high price tags for a ransomware attack have impacted the premiums for cyber insurance.
“Three years ago, if you applied for cyber insurance, you could get a policy and who knows what you’d pay for it, anywhere from cheap to not that expensive,” said Doug Howard, CEO at Pondurance. “Then, ransomware hit, which changed the payouts. As a result, insurance providers adjusted their premiums, and now, in the last few years, premiums have gone up anywhere from 50% to 100%.”
Business email compromise (BEC) ranks second as a threat concern, close behind ransomware. In BEC attacks, bad actors use social engineering scams and phishing emails to gain access to the email accounts of unsuspecting employees. In 2022, the FBI’s Internet Crime Complaint Center received a total of 21,832 BEC complaints, amounting to adjusted losses of over $2.7 million.
Prepare for the application process
Organizations want cyber insurance to protect their businesses against financial, regulatory, reputational, and other harms. Because the harms of a cyberattack have increased, the requirements for getting cyber insurance have become more strict. For instance, last year, insurers required organizations to have multifactor authentication (MFA) to qualify for cyber insurance. Today, insurers need to know not only that an organization has MFA but, more importantly, that MFA has been implemented.
Cyber insurance providers ask many crucial questions during the application process. All of them ask many of the same questions such as: Do you use an endpoint protection product across your entire system? What is your timeline for making patches? Do you have an in-house or outsourced security operations center? How often do you conduct phishing training for your staff? Your answers will determine whether your organization receives cyber insurance, so it’s important to have implemented proper cyber measures prior to application.
“People looking for cyber insurance want to know what impacts their ability to qualify,” said Doug. “Whether they’re applying for cyber insurance for the first time or trying to renew an existing policy, they want to know what to do to get it right. I tell them to be proactive. Cyber insurance providers want to know that you have the technology, processes, and people already in place to protect against an attack.”
Understand What's Covered
Cyber insurance policies cover a broad array of attack scenarios, but if your organization experiences an attack that is not covered, the lack of coverage can be costly. That’s why it’s so important to thoroughly understand what is actually covered — and what is not covered — in your cyber insurance policy. Most cyber insurance policies contain exclusions, which are cyber events and scenarios that the insurance provider will not cover. These exclusions may include acts of war, failure to maintain standards, payment card industry fines and assessments, and prior acts, to name a few.
“The courts have weighed in on exclusion clauses in cyber policies, particularly the acts of war clause, and they don’t always rule on the side of the policyholder,” said Doug. “That’s why you need to comb through each line of the exclusion language to know exactly what your policy covers and do not assume that the exclusion will never apply to your organization.”
Partner with Cybersecurity Experts
Working in partnership with cybersecurity experts can reduce incidents and demonstrate to cyber insurance providers that your organization is taking responsible steps to pursue comprehensive defense strategies. Cyber insurance providers encourage organizations to partner with digital forensics and incident response (DFIR) providers and managed detection and response (MDR) providers.
DFIR providers can help your organization swiftly contain incidents and conclusively restore systems after an attack. Proactively partnering with a DFIR team allows the team to become familiar with your organization and understand your network in advance of a breach. That way, if a breach does occur, your organization is already steps ahead in the process.
Enlisting an MDR provider can help your organization reduce the likelihood of a breach. Modern MDR providers monitor networks 24/7, find suspicious activity, and launch effective mitigation measures if an incident occurs. These services decrease dwell time — the number of days, weeks, or even months that a threat can hide within a network and compromise data — and, ultimately, reduce the cost of a breach.
“More and more, we are seeing cyber insurance providers require Managed EDR and Managed Detection and Response (MDR) across logs, network and cloud,” said Doug. “The providers used to ask, do you have technology? And then, do you use it, and is it being implemented? But later, they just skipped EDR and went directly to MDR. Now, MDR is a standard requirement for cyber insurance.”
With DFIR and MDR partnerships in place, your organization greatly lowers its risk profile, which can help in reducing cyber insurance premiums. If a compromise occurs, the cyber insurance provider will be more likely to cover the incident based on the necessary precautions that your organization has taken. Additionally, a cybersecurity partner can serve as a trusted representative that can work with the cyber insurance provider to accelerate the recovery process.
The rise in threats has spiked the demand for cyber insurance and decreased the number of organizations that will qualify for a new policy or a renewal. But there are actions your organization can take to improve your qualifications for cyber insurance and help you achieve cyber insurance success. To keep up on the latest cyber insurance discussions, check out our blog Hot Topics in Cyber Insurance.