Attendees at IBTTA's latest webinar--Cybersecurity Insurance--got a comprehensive look at the current market for cybersecurity policies, the biggest threats to their own networks and some best practices for how to acquire and maintain the right coverage.
"In today's world, cyberattacks can not only be harder to detect and more damaging, but it seems that everyone can be a target," said Mark Cantelli, Vice President, Head of Global Delivery at TollPlus LLC and moderator of IBTTA's most recent webinar—“Cybersecurity Insurance," presented by the Council of Platinum Sponsors. "Carrying cybersecurity insurance makes as much sense as carrying health insurance or car insurance."
The process of acquiring and maintaining cybersecurity insurance, however, can be tricky, or prohibitively expensive. Cantelli and a panel of cybersecurity insurance experts aimed to get to the bottom of the somewhat disconcerting trends currently plaguing the cybersecurity insurance market, and ultimately offered some strategies for how organizations can make their case to insurers to get the coverage they need.
Costs of cybersecurity insurance premiums have risen sharply, noted panelist Greg Odegaard, Vice President, Legal Counsel of TollPlus. "We know there's been a lot of cyber activity and ransomware, et cetera," he said, "but why exactly has it increased so much...particularly without having had any major claim activity?"
Odegaard also noted that policies have gotten more complicated in the recent past as well, and buyers have had to string together policies from different brokers to truly protect themselves. "Now you're talking to twice as many insurers and answering twice as many questions" to get the same amount of coverage, Odegaard said.
The biggest driver of spikes in insurance rates has been a concurrent spike in ransomware attacks, according to panelist Teresa Leahey Carmody, Senior Broker - Team Lead with Willis Towers Watson. "As a result of this activity, carriers are making changes to the coverages they're offering," she said. "They're really looking to dig deeply into organizations' controls to see, what are they doing proactively to make sure they're protecting themselves against ransomware activity?"
As in other areas of the economy, this problem has been exacerbated by the pandemic, and the increased reliance on remote work. "Because we're still mostly in a decentralized work environment," Carmody said. "Those folks are more likely to click on those malicious links."
From a macro perspective, there’s no question that ransomware attacks are the cybercrime du jour, and that these attacks are what’s making policies so much more costly. "Since 2014 the number of cyber claims reported each year has gone up substantially," said panelist Elizabeth Caldwell, Claims Advocate & Cyber Claims Leader – West, also with Willis Towers Watson. "There was a slight dip in the number of cyber claims in 2021, but we think the slight decrease is actually due to a slight lull in ransomware attacks during the second half of 2021.”
The high-profile ransomware attacks of early 2021 drove an increase in public awareness, organizational vigilance and enhanced network security that reduced ransomware attacks (and the number of claims) for a short period, Caldwell said. "Ultimately this lull we saw in the second half of 2021...we don't think is permanent. We're already seeing an uptick in ransomware claims,” she said.
For companies seeking to navigate their way to the best possible cybersecurity coverage for the best possible rate, in addition to having stringent network and internal controls implemented to prevent ransomware attacks, they also need to take care to advocate for themselves to their insurer as well.
"When you apply for your cyber insurance, most of the larger carriers have a ransomware supplemental application you'll be asked to complete," said Jonathan Davies, C|CISO, CISSP, CCSP, Associate Director, Cyber Risk Consultant with FINEX, North America, referring to additional coverage most insurers offer that's specific to ransomware attacks. "The problem with these is that they're very binary in their questions and responses."
For example, he said, an insurer might ask if a company has multi-factor authentication (MFA) across its entire system, and the company might have some MFA in some spots, and not in others. This makes the answer to a yes/no question more complicated than the typical ransomware supplement provides for. If the organization says "no" then typically the insurer won't approve the coverage, but when the answer's not so clear cut, companies need to proactively provide more details to get their insurer to understand the situation.
"Don't be afraid to add a continuation sheet to these supplemental applications--two to three bullet points--and state your case," he said. "You don't get much of a floor to explain what the ground floor is like in your network, and you know your network better than the underwriters."
Learn more about the current state of cybersecurity insurance and how to get it (and keep it) by watching a replay of the webinar on IBTTA’s YouTube Channel.