Cybersecurity Insurance Applications Need a Digital Refresh
March 31, 2022
insurance Insurance broker cybersecurity insurance cybersecurity insurance application
Cybersecurity claims have risen, as have the number of organizations looking for cybersecurity insurance. Some estimates place ransomware payments at close to $600 million for the first half of 2021. The increase in payments has caused some insurance companies to restrict the number of policies issued, while others lower the coverage amount or increase premiums.
While ransomware attacks make headlines, claims as a result of increased consumer privacy violations are likely to add to the industry's losses. Many companies are concerned as the European Union's General Data Privacy Regulation (GDPR) and California's Consumer Privacy Act (CCPA) become law. No one knows the impact these laws will have on the industry, but most underwriting guidelines are changing to mitigate the risks associated with ransomware attacks and privacy law violations.
Not only do new applications receive extensive scrutiny so do renewals. The risk landscape has changed so dramatically that every application or renewal requires more documentation regarding cybersecurity preparedness. Often the application process has not been adjusted to request this information until the application has reached underwriting. Even then, the questionnaires may not be comprehensive enough to evaluate potential risks. Some insurers are looking to cybersecurity firms for assistance in evaluating cybersecurity preparedness.
Additional questionnaires may focus on such areas as:
- Ransomware. Different security organizations list best practices for minimizing ransomware attacks, such as applying all updates to software and operating systems. Insurers may start requiring that these practices be in place before insuring an organization.
- Training. Training is probably the least implemented best practice. Insurers may require companies to have scheduled training sessions to protect against possible cyberattacks.
- Vendor Management. Supply chain attacks have increased, requiring companies to ensure that every business in their supply chain adheres to strong cybersecurity defenses.
- Authentication. Best practices recommend multifactor authentication with least-privilege models. Although companies have been hesitant to change authentication models, they may find themselves doing so if they want to be insured.
If these factors are not incorporated into an organization's cybersecurity plan, the risk of a successful cyberattack increases significantly. Underwriters will want to evaluate the preparedness before issuing a cybersecurity policy. However, underwriters may need access to cybersecurity specialists who can evaluate the efficacy of the plans.
Business Continuity Plans
Business disruption coverage often goes hand in hand with a cybersecurity compromise, but it isn't always the result of a cyberattack. Disruptions can come from the loss of power or a global health crisis. In the past, insurance companies may have been lax in their efforts to assess business continuity capabilities. Today, that focus has changed. The better prepared an organization is to come back online after a disruption, the better the outcome for both the insurer and the insured.
For example, underwriters may want information on:
- What is being backed up?
- Is the process being tested?
- How often is it tested?
- Can the data be restored?
- Is the restored data accurate?
Minimizing risk requires a more in-depth analysis of the methods to ensure a fast recovery time. Many companies have a one-and-done approach to backup testing. They exercise the system when it is put into place but rarely or never test the process again. The longer an organization goes between backup testing, the greater the risk that the process will fail.
Underwriters may want to take a closer look at a company's backup procedures. For example, backup processes should be tested before a system change or upgrade to ensure that data is available if a fallback is necessary. After the changes or upgrades, the process should be repeated to ensure that the appropriate data is being saved.
Best practices recommend keeping backups offsite or in locations that cannot be accessed through the production system. Making sure the process undergoes end-to-end testing with offsite storage verifies that the process is working. Once the data is restored, is it accurate and complete? Part of end-to-end testing ensures that the restored data is complete and accurate.
Good business continuity plans are also good defenses against ransomware attacks. Full backups that restore complete and accurate systems minimize the risk of paying a ransom to regain control of a company's data. A clear understanding of how to protect digital assets can help both the insurer and the insured experience better outcomes.
Cybersecurity vulnerabilities that violate compliance standards are a financial disaster waiting to happen. As more government regulations are implemented, businesses wanting to do business with local, state, and federal agencies will have more standards to meet. Industry-specific regulations such as GLBA and PCI-DSS are likely to increase to maintain consumer confidence.
Underwriters will want to see proof of compliance or ongoing certifications to ensure organizations maintain best practices for cybersecurity protection. It is another way for insurers to assess a company's cybersecurity preparedness. In the past, insurance companies focused on data security to protect against identity theft and data breaches, but recent events have shifted that focus to malware attacks such as ransomware.
Today, insurance companies must take a wider view of cybersecurity. Using compliance standards as a way to evaluate cybersecurity can help underwriters understand the liability risks associated with an application or renewal. Given that cybersecurity specialists are rarely underwriters, insurers may need to re-evaluate how applications are viewed.
Insurance companies need a digital refresh of their online application processes and their internal underwriting policies. Few online processes have expanded to include additional information that insurers need to assess risk. As a result, the user's digital experience lacks cohesiveness with the actual process, resulting in a poor customer experience.
Internal assessments need a different type of digital refresh. Insurers need processes that enable qualified cybersecurity specialists to assist underwriters in evaluating the cybersecurity preparedness of applicants. Together, the groups can deliver a more accurate assessment that can translate into a better risk analysis.
To learn about how our Cyber Application risk assessment and scorecard can help your complete more cyber applications for your insureds, resulting in more bound policies, schedule a time to talk with our team.