Cyber risks are evolving rapidly, and the insurance industry is scrambling to keep up! In short, the industry is experiencing growing pains that will affect employers in many ways, including the following:
- Insurers are changing how they underwrite policies and may be less forgiving about lax cyber security measures.
- Pricing is constantly changing as cyber risk policies adapt to rapidly evolving risks.
- Insurer appetite for risk is changing, and the “right fit” with a cyber insurance company will vary depending on your industry, company size, location, and unique risks.
In a webinar sponsored by the CSA (Cloud Security Alliance) Ohio River Valley Chapter and moderated by Greg Allender, Chief Information Security Officer (CISO) at TriHealth,
we heard from industry leaders discussing cyber insurance and its current transformation, evolving standards, and what the future might hold.
Leon Ravenna - Chief Information Security Officer (CISO) at KAR Global
Josh Anderson - Chief Information Officer (CIO) at Rea & Associates, Inc.
Lacy Rex - Vice President, Cyber Strategic Leader at Oswald Companies
Ryan Dunn - Director of Insurance at Trava
Mercy A. Komar - Cyber Risk Manager, Commercial Lines Manager at L. Calvin Jones & Co.
This blog series offers highlights from the program. We start off hearing from Mercy Komar, who certainly doesn’t mince words when it comes to her take on cyber insurance carriers.
Q: What dirty little secrets should we know about cyber insurance?
Mercy: The first little secret is that not all—in fact, very few—insurance agents are qualified to sell cyber insurance. For example, there are 7,500 licensed property and casualty agents in Ohio. Maybe 5% are qualified to sell cyber insurance. Most don’t even understand the basics. Many are giving boilerplate coverages that are not specific or appropriate to individual businesses based on their industry, size, or level of risk. And worse, most agents don’t know how to interpret the policy to policyholders. Consequently, policyholders may end up with a policy that has either inadequate coverage or more coverage than they need.
The second dirty little secret is that insurance companies may not be on your side. Policyholders need to get consultative help from an expert in cyber insurance to interpret and fully understand their policies.
Q: What has cyber insurance traditionally looked like and how is it changing?
Ryan: Six years ago, if a small business was applying for cyber insurance, it involved completing about a four- or five-page questionnaire with about a $300 to $400 annual premium. Now, it’s more like a 14-page application, an intensive call with a security engineer, and after all of that they may or may not qualify for coverage. It’s becoming a more and more arduous process and premiums are dramatically on the rise. We talked a lot about this in a recent cybersecurity awareness event.
Policyholders must have clear understanding of their security posture. Mercy said this, too. Get consultative help from an expert in cybersecurity and how it relates to cyber insurance to be able to interpret and fully understand your policy.
Q: What technology changes are expected in next two or three years and what insurance changes?
Leon: If you’re not doing EDR (endpoint detection and response) today, you’re already in trouble. In the next 24–36 months, network segmentation will be critical.
Insurance companies are getting smarter about what they are looking for in covering SMBs.
Cyber insurance will be another audit you have to be prepared for. And insurance companies are getting more intensive in their reviews and should inform your roadmap.
Q: What are the trending changes to cyber insurance questionnaires?
Josh: The top ones that come to mind are:
- The list of questions is getting longer.
- The questions are more informed—more focused on data and types of data.
- There is greater depth around compensating controls and processes that you have in place.
Q: What about the industries? Are there some that are more high risk than others?
Lacy: The more obvious one is of course, payments. Less obvious and yet also very high risk is higher education. Traditionally, higher ed has not been under much scrutiny, but one source says it is 48% more costly to remediate, so that is what is driving more scrutiny.
Manufacturing is another industry at high risk. Business interruption/business income loss in manufacturing companies can be substantial and costly to insurance companies.
Every industry is being rigorously underwritten. Even small business.
Q: Will insurance carriers pay cyber extortion (ransomware)?
Lacy: There has been a lot of bad press about cyber liability and insurance companies not paying claims (denials). Why? It’s not always the “fault” of the insurance company. Policyholders need to take some responsibility, too. For example,
- If the company did not have cyber liability coverage and they try to make a cyber claim under a different type of policy, like general business coverage, the insurance company will likely deny it.
You must have a separate cyber insurance policy and understand what is and what is not covered.
- If the policyholder remediates the extortion or ransomware with another vendor—in other words pays the ransom via another third party consultant—and then submits a claim/invoice after the fact, the insurance company will not pay the claim. Engage your insurance agent immediately. Your carrier will be the one to advise you, guide the conversation, include data analytics, and work with government officials.
Q: What other coverage restrictions are we seeing in the market?
Lacy: Cyber extortion: If your controls are not where they need to be, cyber extortion is being excluded. Cyber co-insurance is being utilized. And there is scrutiny around dependent business interruption. Many carriers are now including IT vendors and other third parties in their coverage.
Supply chain: Your policy will respond to a non-physical business interruption. For example, you might qualify for coverage if one of your suppliers has a hack that results in their system being down. There are a lot of nuances and exclusions.
In the end, if you are not updating and safeguarding your systems and practicing good cyber hygiene, it could result in an exclusion in your policy.
We continue the conversation about cyber insurance in Part 2, where we focus on other cyber risk management tools required for today’s cyber insurance policies and why it’s getting harder for small businesses to get cyber insurance.
Watch the webcast on demand.
Insurance brokers, let Trava uncover cyber risks and help patch them before you write a policy.