Cyber insurance companies are enforcing stringent coverage requirements designed to force businesses to take a control of their cybersecurity operations

High-profile security breaches are becoming everyday news with large corporations taking a hit not only to their wallets, but also to their reputations with customers and shareholders. In fact, last year ransomware was the source of 81% of cyberattacks. And with the average ransom at over $170K, businesses are scrambling to get the cyber insurance they’ve been putting off for a while.

But with IT teams struggling to keep up with the onslaught of threats and attacks, enterprises are looking to cyber insurance to help them stave off ruin, should something breach their defenses. And it’s not just large corporations looking for a little solace should the inevitable strike.

Though a lot of SMBs think that their size keeps them safely under the radar when it comes to being targeted, it’s really the opposite. Bad actors often like to target the most vulnerable and those with the least amount of security measures in place. For those SMBs realistic about their chances of becoming a victim, many believe that proper security and insurance coverage are just too expensive and out of reach. And they could be right. Many SMBs can't even get a quote due to their inability to comply with cybersecurity requirements, leaving their businesses both unsecure and uninsured.

Cyber Insurance: What it is and what it isn’t

Cyber insurance has been around for about 20 years. Policies often cover common cyber-related losses, like data breaches and ransomware attacks that result in loss of business or disruptions. It’s designed to offset recovery costs that you would have to pay in the event of an incident and can sometimes offset a variety of non-IT business costs, such as reputational damage and legal fees.

When it comes to cyber insurance, there are 4 common misconceptions:

1. It’s a security measure and will protect you from a breach.
2. It’s all-encompassing when it comes to loss due to an incident.
3. All cyber insurance policies are the same, with the same fine print.
4. It’s easy to get, you just have to check a few boxes.

Let’s unpack these one at a time.

1. Cyber insurance is a reactive product. It won’t prevent a breach and it won’t immediately reduce the impact on the delivery of services to your users.
2. Cyber insurance doesn’t cover everything. For example, the losses in production time or in materials associated with a breach are generally uncovered by most policies.
3. Every policy is different in its own way. Read, ask questions, and understand the exact limitations of your coverage before signing on the dotted line.

Since experts deduced that the NotPetya attacks of 2017 were supported and developed by a nation-state, insurance companies said that the ransomware attack fell under the “act of war” clause in their policies, therefore, initially, it was deemed insurance holders were not covered for this attack.

It’s not that easy to get

In the good old days, insurance companies were knocking at your door—sometimes literally—to sell you a life, health, or auto policy. But times have changed, and businesses are now jockeying to get insurance, often leaving empty-handed.

In 2020, as cyberattacks were dramatically escalating, almost 50% of insurance clients were opting-in for cyber coverage, up from just 26% in 2016. While more companies may be looking for insurance against attacks, stability in premium rates and access to policies are changing.

Large-scale attacks—such as the Colonial Pipeline ransomware attack—have highlighted the potential for catastrophic financial damages. As a result, insurers are taking steps to limit their exposure to these losses.

Since the cost of cyber insurance is based in part on the frequency, severity, and cost of cyberattacks, it’s no wonder that the uncertain future has made insurers become more selective in who and what gets covered. Higher-risk organizations, such as education, healthcare, and public sector agencies, have seen their premiums skyrocket while often at the same time coverage limits have been reduced. By the end of 2021, cyber insurance pricing in the U.S. increased an average of 96% year-over-year. 

Providers are also holding businesses accountable for actively managing their cybersecurity. This could mean denying coverage to businesses that fail to comply with basic cybersecurity controls or offering incentives to advance cybersecurity efforts in order to meet compliance requirements.

Getting insurance is no longer just checking off a couple boxes and then you’re in. It’s standard now for companies looking for insurance to provide:

·      A detailed report of the maturity of their cybersecurity model, including compliance with basic security controls

·      Proof of policy compliance at the time of a claim, so ongoing monitoring and reporting is a requirement

·      A body of evidence along with claims to ensure policy holders are compliant with the terms of their policy

Regardless of size or industry, getting cyber insurance is a lot more challenging and even impossible without professional guidance.

Making cyber insurance pain-free

Going through the cyber insurance process can be painful and overwhelming. That’s why Procellis is here to help you get, and stay, ahead of your cybersecurity.

As a registered CMMC-RPO with Advanced Cisco Security specializations, we ease the burden on your team by providing:

• Security assessments using NIST 800-171 frameworks
• Timeline of prioritized security objectives in terms everyone in your business can understand.
• Easy-to-digest action items that keeps your progress moving forward without sucking up all your valuable time.
• Lightning-fast response to your questions and requests so you can move forward frustration free.
• Clear and complete documentation you can confidently turn into a cyber underwriter to get the best coverage possible at the lowest rate.

To learn more about how Procellis can provide you with a roadmap to cybersecurity, schedule a 30-minute security review to speak with one of our experienced security professional.