Insurance coverage

Why getting cyber insurance coverage is getting harder

Faced with the very real threat of falling victim to a cyberattack, a growing number of Australian businesses are assessing the value of insurance policies. However, that’s easier said than done, writes Scott Hesford, director of solutions engineering, Asia-Pacific and Japan at BeyondTrust.

Cybersecurity insurance is designed to protect a business from the potentially disastrous consequences of an attack on its IT infrastructure. These can range from significant financial losses to long-term reputational damage.

The coverage offered by insurers has come under increased scrutiny during the Covid-19 shutdowns. With much of their staff working from home, companies are realizing that their pre-pandemic security measures no longer provide the level of protection they need.

Reliance on firewalls and other on-premises measures is simply insufficient. Home workers — thanks to unsecured WiFi, unpatched personal devices, and generally poor cyber hygiene — are more vulnerable to everything from phishing campaigns to ransomware attacks and more.

These concerns come at a time when the number of high-profile attacks is on the rise. Breaches such as Colonial Pipeline, JBS Meats, Nine Entertainment and Kaseya have grabbed headlines and caused massive disruption for victims.

Meanwhile, the scourge of ransomware continues to grow. Last October, the Federal government action plan against ransomware noted that there had been a 15% increase in the number of ransomware attacks reported to the Australian Center for Cybersecurity over the previous 12 months, with CrowdStrike reporting that the average payout by Australian businesses in ransom payments was 1, $25 million.

Tighter underwriting requirements

This increase in the number of cyber attacks and payments has a direct impact on the cyber insurance market. To stay solvent and viable, many insurers are dramatically increasing premiums, dropping coverage, or exiting the cyberinsurance market altogether.

Indeed, a report released by Aon last month found that the cost of cybersecurity insurance has risen more than 113% over the past year, with renewals likely to be at least 70% more expensive in the past year. course of the following quarter alone.

Insurers are also tightening underwriting guidelines and requiring their customers to implement certain security controls, such as privileged access management (PAM).

They are also becoming more selective about who they are willing to cover. Just as a driver involved in multiple accidents may be dropped by their insurer, the cyber insurance market is no different. From an insurer’s perspective, not all claimants are good candidates.

Qualification for cyberattack coverage is carefully assessed and potentially denied based on prospective and current customers’ responses to comprehensive security questionnaires. Insurance companies are also increasingly hiring security professionals to help them find the way to insure qualified customers and turn away those who are unqualified or pose too much of a risk.

Another market development is the focus of insurance policies on particular cyber risks. An insurer may offer customer coverage for malware and spyware, but refuse to cover events involving ransomware. In fact, there’s a case to be made that ransomware attackers will retarget companies that have already paid through cyber insurance.

Boost your cyber-insurability

Organizations should consider that if they don’t take strong precautions to protect against cyber threats, they can’t assume that cyber insurance will bail them out after an attack.

Insurers will increasingly hold companies accountable for their cybersecurity programs and levels of protection. They expect their customers to adequately meet their end of the bargain when it comes to mitigating risk, reducing attack surfaces, and implementing mature IT security strategies.

Additionally, if a business is the victim of an attack, their insurance company may require proof that they have the agreed-upon security measures in place. Lack of control, even over a single endpoint or application, can give the insurer the leeway it needs to deny a claim in court.

Implementing and managing PAM security controls is one of the best ways for a business to proactively reduce its cyber risk, but also improve its ability to obtain cyber insurance coverage at the best rates. possible.

Indeed, multiple security checks are now routinely required by cyber insurers. These controls include applying least privilege (including removing administrator rights) to human and machine accounts.

Some insurers also require companies to apply multi-factor authentication for remote access to their core network by employees and third parties. They may also require the company to have the ability to identify and remediate Indicators of Compromise (IoCs).

It is clear that the cyber insurance market is changing rapidly. Businesses may find it increasingly difficult to obtain coverage, and if they do, coverage may not be as comprehensive as in the past.

Indeed, business management must consider long-term strategies not only to meet the specific compliance requirements of their own industry, but also those based on the ever-changing threat landscape and security environment. insurance.