Insurance companies scrutinize cybersecurity controls
Over the past year, there has been a substantial shift in the already difficult cyber liability market.
The changes, particularly the scrutiny of supply chain coverage and systemic losses, were precipitated by the Solarwinds incident of December 2020 in which many entities, including government and corporations, have been compromised.
According to Fitch Ratings, cyber liability incidents have increased in severity and frequency over the past few years, with a loss rate of 73% in 2020. I suspect 2021 will be worse with the number of catastrophic events that have occurred. already produced, such as the record $ 40 million extortion paid for by CNA; concerns about the potential disruption of the food supply chain by the ransomware incident from meat-packing company JBS USA; and the Colonial Pipeline, which cut off the fuel supply to the east coast.
What was the cause of the colonial pipeline incident? Lack of multi-factor authentication for an account.
With the increase in cybersecurity claims, insurance companies are scrutinizing cybersecurity controls and rigorously underpinning each risk.
Therefore, multi-factor authentication and cyber hygiene are essential to gain coverage. So what is multi-factor authentication (MFA)? Two authentication factors to verify the identity of an individual.
Typically, this is a password and an authenticator app, and should be used for the following:
• Remote access for all employees, company users and third parties accessing your system
• Access to emails on non-professional devices or a web application
• Privileged / administrative access within your network
Cyber insurance companies are starting to under-limit certain lines of coverage, apply coinsurance up to 50% of the loss, reduce capacity, and limit coverage when cybersecurity controls are not favorable.
Historically, premiums have been very competitive, but they increase from about 60% to over 100% due to claims. Cyber Liability Underwriters look for specific background checks due to the increasingly difficult market before considering offering any terms.
In addition to MFA, companies should consider regular phishing drills, encrypted backups, email filtering for malicious content, a well-established incident response plan, routine vulnerability scanning, and a management process. fixes.
Think of these checks as similar to building insurance. If there are no sprinklers or similar considerations for loss control, your building may not be insurable. Cyber security has no finish line and companies must continue to improve their controls with endpoint detection and response, privileged access management, next-generation firewalls, and more.
Also, make sure you allocate enough to your IT security budget and confirm that they match insurers’ expectations.
Cyber liability insurance is an essential risk transfer mechanism for any organization, but securing it has been more difficult than ever.
Your organization should review your cybersecurity controls with your broker to identify potential challenges and better understand renewal expectations. Insurers have encouraged their policyholders to use their risk management tools, but now they expect companies to adopt these controls.
An effective cyber risk management program will help provide the best possible deal in this difficult market.
To view the PDF to print, click HERE.