Three ways companies can meet the evolving requirements of the insurance carriers  

Since 2020 ransomware attacks have been on the rise, impacting two-thirds of organizations in the last year, wreaking havoc across industries and increasing the cost of cyber insurance premiums. The spike in ransomware activity, data breaches, and other cyberattacks has impacted cyber insurance carriers that have spent the last few years adjusting underwriting guidelines, increasing prices, and reducing available coverage to offset losses.

Even as the loss ratios of insurance carriers remained flat in 2021, noteworthy incidents such as the Brenntag and Colonial Pipeline ransomware attacks continued to push cyber premiums sky-high. Organizations seeking to renew or refresh their cyber policies in the new year face more stringent eligibility requirements and new exemptions, such as Lloyd’s of London’s exception for certain categories of nation-state attacks.

With the threat of more policy exclusions on the horizon, today’s security leaders are looking for ways to make their organizations more attractive to underwriters. Here are some important steps for companies to take that seek to get the most out of renewed policies:

Carriers have increased their expectations for minimum security standards in response to the growing threat of cyberattacks. Underwriters want to ensure the organizations they cover have implemented specific security protocols before considering them for a policy. Generally, they are looking for the implementation of standard security techniques and technologies across an organization, such as multi-factor authentication (MFA) and user behavior analytics (UBA). As party of the  underwriting process, organizations must fully understand their level of preparedness should a breach occur. Carriers want to see organizations taking steps to proactively defend themselves before insuring them.

Security fundamentals are often overlooked, but underwriters look for companies to properly implement basic tactics. A few basics that carriers look for include endpoint detection and response (EDR), firewall usage and effectiveness, encryption and regular backup of business data, and secure provisioning and de-provisioning processes for user access. Without these measures, underwriters may limit an organization’s coverage or deny it altogether.

Each organization possesses a different amount of cyber risk. The factors that make up this level of risk lie at the heart of obtaining cyber insurance. Coverages do not come in one-size-fits-all packages. Each organization gets considered individually based on its likelihood of falling victim to cyber threats.

The carriers correlate the likelihood of a breach to how secure an organization’s network and applications are, in conjunction with how well that organization  equips itself to remediate known vulnerabilities. Factors like endpoint security, patching cadence, and network security are strong predictors of cyber risk.

Cyber risk quantification (CRQ) lets organizations verify cyber insurance adequacy and determine the amount of insurance that sufficiently covers their cyber risk. By quantifying cyber risk, organizations can attach measurable terms to security initiatives and help communicate risk reduction, in addition to better understanding the sort of coverage that works for them. 

Any steps an organization can take to mitigate risk ahead of a carrier’s underwriting assessment will help obtain favorable pricing and coverage, reduce the number of subjectivities required to bind, and avoid immediate declinations.

A comprehensive review of an organization’s security posture requires more than just an internal assessment. Cyber risk management goes well beyond internal stakeholders. An organization’s security posture consists of the company itself, its partners, and all vendors. Organizations should have a full view of their ecosystem’s risk to pinpoint any weaknesses and prevent any surprises when seeking coverage. Top management doesn’t want the organization to be caught off- guard by a potential security issue tied to an external party.

Organizations should ensure they are proactively monitoring for vulnerabilities among their vendors and have an open line of communication with these organizations. When the company uncovers a third-party risk through proactive monitoring, organizations must communicate and remedy their findings before a breach occurs.

Having complete visibility over assets both inside and outside of an organization will let security teams determine mitigation strategies that will reduce their cyber risk and improve their candidacy for coverage.

While obtaining cyber insurance has grown in complexity, both insurers and the insured are essentially playing the same game. Both parties want to understand and accurately evaluate the level of cyber risk attached to a particular organization. For the insurer, the evaluation process helps to minimize loss and for the insured, it helps to close internal security gaps.

Ultimately, when organizations have insight into their security posture, they are always in a much stronger position to secure a policy that fits the company’s needs and budget.

Andrew Correll, director, insurance solutions, SecurityScorecard