Cybercrime continues to be a challenge for business owners, meaning that cyber insurance is no longer a luxury, it’s a must-have. Most small and medium-sized businesses (SMBs) understand they require property, liability and workers compensation insurance, but many may be unaware how important cyber insurance is for their organization. Even for those who do have this type of coverage, it’s hard to keep up with all the regulatory changes, and there’s still many misconceptions around payouts if the unthinkable happens. Here’s a quick overview to make sure a company policy is up-to-date, and that there will be a full payout if a cyberattack occurs.
The Cyber Insurance Industry is Evolving
It’s no secret that cybercrime is on the rise. The FBI’s Internet Crime Complaint Center (IC3), established in 2000 to track internet crimes, has received 6.5 million complaints since its inception. According to its 2021 Internet Crime Report, last year, the IC3 got 3,729 complaints, identified as ransomware, with adjusted losses of more than $49.2 million. Last year, there was $6.9 billion in losses with 2,300-plus average complaints daily. Phishing scams continue to top the list. These alarming stats drive home the point that companies cannot forgo cyber insurance. But getting insured is not as straightforward as one would think. Plus, the industry is shifting to keep pace.
The first change business owners need to be mindful of is that self-attestations are a thing of the past. Policyholders now have to show proof that the controls they claim to have in place really are there, and it needs to be documented. And, if there were to be a breach, they need to be able to show that the controls in the policy were active prior to the incident. Remember, the burden of proof is on the entity, not the insurance company. Organizations need to keep detailed records of insurability compliances such as multi-factor authentication (MFA) or patch management, and demonstrate there are tools in position to remediate risks to the environment. Taking these steps will maximize the chances of receiving a full payout. Business owners also need to pay attention to the fine print around catastrophic coverage. Systemic attacks such as supply chain, zero-day and infrastructure outages are mostly excluded in policies through sublimit. This means that the coverage is less than the policy limit. In fact, many policies are entirely excluding this type of coverage or limiting recovery to $10,000.
Trends to Watch Out For
When it comes to costs, expect them to keep inching north. Premiums are up, about 30-50%, depending on the sector. Some industries, such as healthcare, are seeing increases in the triple digits. Other sectors that can expect to be impacted include manufacturing and construction due to supply chain issues.
Another trend revolves around how difficult it has become to get insured in the first place. Companies with longstanding policies are shocked when they learn they’re not being renewed. The reason – the inability to show required controls were active. It’s mandatory for organizations to disclose if they were declined renewal. Being “dropped” can spiral and have long-term effects like no longer being “insurable” in the eyes of the insurance company. For this reason, business owners need to stay on top of what’s happening in their IT environment and ensure those essential controls are always in force. If they’re not and the company learns that from an underwriter, it's often too late. If only one control out of six is lacking, it can lead to being denied coverage.
Another reason it’s getting harder to get insured is that the supply is decreasing because the costs associated with a breach are so high, and there’s more of them these days. Generally, companies can expect to pay more, yet get less coverage.
What to Do If Coverage is Denied
Business owners who get declined or are not renewed should not panic. The first thing to do is to certify the missing controls are immediately put in place. Companies can improve their “insurance credit” by monitoring what’s required and implementing it in their IT environment. It’s important to keep tabs on new regulations as they come out and adapt as needed. A yearly spot check is not enough. Many SMBs today are relying on compliance manager solutions that allow them to wrap a due care service around their insurance policies.
Since there are less carriers willing to take on risk, there needs to be another source of protection for those who cannot get insured. Service guarantees can minimize the impact of a cyber event. There are programs that provide warranty coverage to reward behavior changes, such as implementing specific controls. These initiatives help drive overall costs to customers and offer some protection while also allowing the business to show they are complying. Once the controls are implemented, and certified, insurability is reinstated.
Every cyber insurance policy has terms and conditions few people actually read. Due care standards in insurance contracts will show what protections a user should have to maintain their IT environment and maximize a payout in the event of an incident or breach. However, if companies cannot prove they’ve been meeting all the terms and conditions, they will struggle to secure a full payout. It’s critical to make sure required controls are in place and regularly check for updates. It may seem tedious and redundant, but this extra step will improve chances of continued coverage, which will go a long way if the company ever becomes the victim of cybercrime.
About the Author:
Max Pruger, a pioneer in the managed services industry, is Kaseya’s general manager of Compliance Manager GRC, VulScan, and MyITProcess and is responsible for Kaseya’s go-to-market strategy for his respective business units. Previously, Pruger served as chief revenue officer of CloudJumper (acquired by NetApp), where his responsibilities included running all aspects of the company’s sales operations, managing and developing an MSP channel, and building a world-class sales organization.