Cyber risks are evolving rapidly, and the insurance industry is scrambling to keep up. In short, the industry is experiencing growing pains that will affect employers in many ways.
In a webinar sponsored by the CSA (Cloud Security Alliance) Ohio River Valley Chapter and moderated by Greg Allender, Chief Information Security Officer (CISO) at TriHealth, we heard from industry leaders discussing cyber insurance and its current transformation, evolving standards, and what the future might hold.
Leon Ravenna - Chief Information Security Officer (CISO) at KAR Global
Josh Anderson - Chief Information Officer (CIO) at Rea & Associates, Inc.
Lacy Rex - Vice President, Cyber Strategic Leader at Oswald Companies
Ryan Dunn - Director of Insurance at Trava
Mercy A. Komar - Cyber Risk Manager, Commercial Lines Manager at L. Calvin Jones & Co.
This blog series offers highlights from the program. In Part 1, we started off hearing from Mercy Komar about dirty little secrets in the insurance industry, Ryann Dunn about changes in cyber insurance in general, and Lacy Rex about why your cyber insurance claim might get denied.
We continue the conversation in Part 2.
Q: In addition to EDR (endpoint detection and response), what are some of the other security tools required for a cyber policy?
- A privileged access management system, which is an information security (infosec) mechanism that safeguards identities with special access or capabilities beyond regular users.
- A leading provider for EDR
- Compensating controls
- Backup encryption
- Phishing training and security awareness on a monthly basis—annual is no longer often enough.
- Operational technology (OT) environments treated with the same level of scrutiny as your IT environment.
Mercy: I would add that SonicWall firewalls are no longer acceptable.
Ryan: Requiring MFA (multi-factor authentication) on email and on every software in your internal systems is critical.
Leon: This is a review of what you’re doing for your organization. Use various inputs you have as a security leader/IT leader to talk about all of the pressures you’re experiencing—from the government, the states, from Europe, from insurance carriers. Do these things: MFA, robust training system, layered email security approach, segmentation of your networks. And use inputs to build the roadmap for your company.
Q: What are the top reasons why cyber insurance companies are denying applications?
Mercy: End of life systems. Bring your own device (BYOD) to work. Network security controls being too low. Third-party service providers.
Insurance carriers can predict annual occurrences, like hurricane season, and can set money aside for claims. But there is no “season” for cyber attacks.
The healthcare industry is seeing a tremendous increase in rates. I know of cases where premiums have gone from $35K to $100K in one year!
Q: It’s getting harder for small businesses to get cyber insurance. Why is that?
Ryan: Carriers are starting to push down enterprise level security requirements on small businesses. And they are doing it 2–3 months before renewal. They are requiring things like an EDR solution, a full MFA audit, etc.
A small business owner may not know what to do or where to turn for help. It can be so overwhelming that it might beg the question, “Should I even renew my cyber insurance policy?” At Trava, we’re trying to make it easier for small businesses to prove that they have the cyber risk management measures in place and have a more seamless experience with their cyber insurance renewals…and at affordable premiums.
Q: Are estimates done over the phone? Or will insurance companies require a tech audit before they get an estimate?
Ryan: Insurance companies might include a security engineer to go over any interesting findings from vulnerability assessment scans.
Mercy: After reviewing scans, carriers might give a preliminary estimate, then ask for a more extensive application.
Q: What are some generic questions asked?
Leon: Anticipate things that cause you the most pain. Plan to have a narrative around what cybersecurity measures you have in place. When you have an underwriter call, lay out your cyber security program in a thoughtful manner. How prepared are you to lay out what you do well, what you consider important, and what plans you have moving forward?
Josh: In addition, include what projects and material enhancements you have undergone. In other words, reinforce your value.
Q: Should you continue working with your existing carrier on cyber insurance, or explore a new carrier?
Josh: It changes from year to year. It doesn’t hurt to put your policy out for bid and see what’s in the market. Consider no less than two or three options. Consider market fluctuations, how the market is changing over time. And get a variety of perspectives.
Mercy: Pricing always comes back as extremely variable. If you are going to change insurance companies, make sure the coverages are the same! Many times they are not. Have a broad understanding of what your policy does and, as importantly, does not cover.
Lacy: Take a close look at the reporting provisions in your proposed policy, also called “Notice of a Circumstance.” If an incident happens or you suspect that something has happened, report it immediately to your carrier. Then it’s on file in the event something serious arises in the future.
And again, renewals are unpredictable. Premiums are going up considerably. Retentions are going up. Expect anywhere from 60% to sometimes greater than 100% increases on renewals.
Q: How should you prepare for your renewal meetings with your brokers?
Lacy: Start with risk factor and size factor. For the higher risk industries, like payment processing, it’s a good idea to prepare an underwriting presentation. It would dovetail with a board presentation. This is a good idea even if you are a smaller organization. Think about what barriers will you have to getting an insurance renewal and address those in your presentation.
If you don’t have an underwriting presentation, work with your broker to put one together. They should be giving you guidance throughout the process. Ask for underwriting questions in advance—at least 3 to 4 months out—and embed answers into your presentation.
Here at Oswald Companies, we use an assessment scanning tool with our clients to find their vulnerabilities, and then they have the opportunity to fix them before the renewal underwriting presentation.
Leon: Provide ongoing security training within your companies. And communicate that with your broker. Include any progress you are making with risk mitigation, too.
Q: How does cybersecurity impact cyber insurance?
Ryan: A lot of people ask or assume that if they have cybersecurity measures in place it will decrease their premiums. Where the impact lies, however, is more about guaranteeing a renewal. As we’ve learned in this program today, cyber insurance carriers have so many restrictions that getting renewals is a more arduous process, and not as predictable. With a comprehensive cyber security program in place, your renewals are more predictable and your coverages will be more appropriate for your business without carve backs.
Q: Do you foresee segmentation in the insurance industry?
Mercy: Yes, you’re going to see a lot of it. For example, many small businesses have data breach coverage. Insurance companies have realized that they are providing a lot of coverage for small premiums, and now small businesses are sometimes finding it daunting to put the proper security controls in place, or pay the additional premiums. They may then not be covered at all.
Others will be moderately secure or even super secure. Insurance companies will start segmenting out companies that are doing the job they are supposed to be doing to protect their businesses versus those that are not. Most small businesses don’t have a good MSP (managed service provider). Like I talked about with insurance brokers at the beginning of today’s talk, many MSPs or MSSPs (managed security service providers) are simply not qualified and that gets revealed in the renewal process.
Lacy: MSPs and MSSPs are the most difficult classes to insure for. Hackers specifically target them because they know they will get access to their downstream customers.
Watch the webcast on demand.
Insurance brokers, let Trava uncover cyber risks and help patch them before you write a policy.