Inside the Cyberinsurance Market: Who’s Covered, Who’s Not, and What’s Changing Fast
Download MP3So what the heck is going on with cyber liability insurance? If you're a small business or medium-sized business, you may have seen a lot of changes in the market for cyber insurance. Maybe even inquiring for the first time, you saw it's very different from buying other types of insurance. The rates are higher, there's restricted access, you can't just buy any policy you want. There's a lot more underwriting involved. There's not just one person that asks you a few questions about your company — there may be multiple underwriters that scrutinize your business. Maybe they want actual reports and data investigation of your company. Either way, getting cyber insurance is a lot harder than it used to be — a lot harder than other types of insurance.
Why is that? What can you do about it? First, if you're the type of insured or policyholder that works with your insurer to get more understanding of what exposure they're trying to reduce, you have some good opportunities to match the coverage with your company. Everything with cyber right now is more scrutiny. All the insurance companies are scrutinizing their insureds and their markets a lot heavier because it's such a wild west of risk that they want to make sure that they're writing coverage properly.
One of the things that you'll find — it's a benefit to you — is the companies will be more involved with your risk control. Unlike your fire insurance or your general liability or business premises insurance, they do give you some suggestions and requirements to reduce risk. You'll find that in cyber, they're going to be all over you to help you and require you to reduce risk. Not participating in the risk reduction might even cost you coverage. So it's a good thing and a bad thing. If you work with them, you'll get good coverage and you'll be less likely to be a target. If you don't work with them, you might not have any coverage at all.
The underwriters are getting involved early. They're talking to your security officers, your IT people, and a lot of these quotes never get written because the insurer doesn't follow through on these things. A lot of times when you go for renewal, the underwriting will happen again — and maybe even more than it did the last time. It's the opposite of other types of insurance. Other insurance lines — you have more underwriting when you first write the policy and maybe a little less on renewal. You'll find with cyber insurance policies, you get underwriting scrutiny when you write it, but you might get more underwriting the next time you renew.
In many cases, the agent or the broker doesn't have binding authority. It's restricted. You have to have certain documentation, more internal/external conversations with maybe your vendors, maybe your clients, and you have to make sure that all your documentation matches what you're representing to that insurer. And they're going to want to see your hard data. They're going to want to see what your internal controls are — not just verbal or written on a contract. They're going to want to see actual proof that you have these controls in place, maybe even printouts from your servers that these inquiries and these observations are being made. The detection suite is operating properly.
More importantly, keep this in mind — your insurer is writing your policy and quoting your policy based on more specific risk of you. They're not writing it for an industry. They're not writing it for a demographic of a business — you know, maybe zip code and revenue and employee census count. Most businesses and business policies are written with just those three data points: zip code, industry SIC code, maybe revenue, employee count — and that’s it. That’s all they need. With cyber, they’re writing that policy and quoting that policy specific to your company based on the information and data you give them. What controls do you have? What data do you give them? What security measures you have in place that can be documented — not just what you promised, but what's documented.
Put yourself in their shoes. The biggest problem with cyber is that the risk is changing week by week, month by month. The cyberattacks are different 30 days from the last one. So they're wanting to make sure that your protection is more holistic — it’s more systemic — so that you're not a victim of something they've not seen before, because you're protected against everything at the same time.
Cyber policies also either implied or directly cover regulatory problems. So if you have a breach and data is released on clients or consumers, there may be regulatory costs involved with that — regulatory cost in notifying, mitigating damages, maybe even fines and penalties. And your policy may cover that. So they're going to want to know what the regulatory environment is and what it might look like during the policy period. Many of these regulations are at the state level; some are federal. But at the state level, some are more severe. You know, states like California, Connecticut, Illinois have some very, very intense cyber breach regulatory requirements and penalties for companies that have these type of events. Some of them are a little bit less severe.
But here's what they're looking at: when a breach happens, whether it's ransomware or lock-up or exfiltration of data, there's a payload of the hack — there's a payload of the virus that comes in through some vector — either email, direct social engineering, sometimes files that are transferred. And once they're in, you may not even know that the hacker's in your system. Once they're in, they go lateral. So if they get in through an admin login or some high-level login, now they go lateral and they start to monitor emails and attach themselves to nodes that are lateral to where they got in.
So if they get in through, let's say, a CFO or sales manager — through their email — now they're in, and they can attach themselves to other hierarchy of the same level within your company. Then they move their way up, and they may not take any action for days, weeks — sometimes months — while they're in your system extracting your data, extracting information, deploying more virus payload to your company, putting in backdoors. So if you do find them, they have another way in. They may spend a lot of time inside your system virtually setting up their attack before they even make a move.
Then when they do make a move, there's three ways they do it. One is they lock up your system, and they say, okay, your data is locked down, it's encrypted, your system doesn't boot up, your cloud is restricted — and we'll give you the key to unlock it if you pay us X amount of dollars. Right now the average is about $300,000. There’s payments that have been in the millions; there’s payments made in five figures. So you pay them, let's say, and they unlock it — but what is that guarantee that they're not still in there? And they could ask for more money or do another round later?
The other thing they can do is — they have data that they've expropriated from your company: all your customer files, maybe your accounts payable, accounts receivable, banking information, product information, manufacturing information — could be intellectual property that they've extracted from your system — and they have it saved, separate from ransomware. They could say, look, we're going to release this if you don't pay us. We're going to release it to the dark web — all your customer data: their names, addresses, date of birth, social security number — if you have ID copies, they're going to release it all and say it came from you. And now you're in trouble unless you pay us.
They're going to release maybe all your production or client information to a competitor. They'll say, look, we found your competitor is XYZ Marketing that's in the same business as you, trying to get the same customers. We're just going to sell your customer list to them — unless you pay us. It's another way they could make money from the deal. These companies are vertically integrated. They have outsourced companies that get the payload in, and then it’s a referral to the hacker that charges the money. They run like any other business — sales departments, operations, accounting, programming. They're big operations.
So you want to be prepared against that. Obviously, the best practices — you have all your data backed up in places that is firewalled away. You have another copy in the cloud with a different login. You have a physical copy on a disk maybe in your premise. But that's not enough. If they're going to export it, you have to detect this very quickly. If somebody gets in before they start scraping all your data out — which can take days or weeks — if you know that they're in, you can shut them down and you can know what's been extracted.
If you have all this in place — best practices with a cyber protection plan — and you can find out more about our website. When it comes time to talk to your insurer about getting coverage, you can tell them, look, here's what we got. Here's our manual security, all our policies, all our procedures. This is how we do it. They're not going to have to teach you how to do this — you'll already be doing 90% of it. They may add a few things based on, hey, you know what, this is good, but here's some other types of risks that we see in other companies.
But at least if you have your ducks in a row, you'll find — first, you'll have access to more markets. Second, your price and your policies will be low — your premiums will be low. And third, most important, you'll be less likely to have an event. Because even if you do have an event that's paid for by your insurer, it's still going to be a bad day. The money’s only going to be part of it. You have reputational risk. You may have regulatory risk. You may have employee risk that they're maybe skittish about your company. You may have clients that are concerned about doing business with you.
So you don't want to have a risk to begin with. Or you don't want to have a loss to begin with — because even if your insurer makes you whole, so to speak, you still have those other durable, remaining, and residual effects on your company that aren't going to be good. So putting these policies in place — even without insurance — reduces the risk. And then this of course helps you mitigate the cost should something happen.
Let us know what you think in the comments. Check out our website for more information and we'll see you on the next video.
