Cyber insurance is a crucial aspect of every cyber security program. If you think that your cyber insurance claim will get approved with no questions asked, think again. Several factors will determine your ability to obtain and retain the type of coverage you need at an affordable rate. When reviewing your claim, your insurance provider will assess whether or not you took “due care” to protect your business from being compromised by a cyber attack. While having a cyber insurance policy is non-negotiable in today’s climate, you cannot be certain that your insurer will cover the costs of a security breach.
Coverage Denials and Claims Rise
Ransomware cyber threats are continuing to trend upward with supply chain and third-party vendors under direct attack. The cyber insurance market is on high alert and their risk model for coverage is changing. Some insurers have even retreated on their coverage altogether, and pricing has increased anywhere from 40 to 60%. As a result, premiums are much higher and coverage may be reduced or denied altogether.
Claims have also become more complex addressing ransomware payments. Various other factors need to be considered with these claims, including IT forensics, legal costs, business interruption, and funds for data restoration. Businesses will need to undergo detailed assessments, providing any documentation necessary to be considered for coverage.
The New Reality of Insurance
A 2021 Coalition Cyber Insurance Claims Report shows that social engineering incidents were up 51% over the first half of 2020. The claims report states that businesses need to implement common cyber security measures as a condition of cyber coverage. There are steps you can take so you’re less likely to be denied during the cyber insurance underwriting process. However, it’s ultimately up to the underwriter’s discretion. Prepare to prove that your cyber security program aligns with your potential risk, which includes testing, training, detection, and response. Your insurance company will also need to request data, questionnaires, and other relevant information – no detail will go overlooked.
No Insurance is Risky Business
Opting out of cyber security insurance is not an option, and operating without it can lead to a multitude of legal consequences. Paying a premium for cyber insurance is worthwhile when you consider the potential impact of being unprepared. The cost of not being insured can result in loss of business continuity, profitability, health and safety, and reputation within the community. Common reasons your claim could be denied include:
- Failure to maintain or follow an ongoing program or minimum standards
- Discrepancies, errors, omissions, or ambiguity in completing the initial risk assessment
- In the event of an attack, the initial compromise occurred before the cyber insurance policy was purchased
- Ransomware perpetrated by organizations deemed nation-state actors may be considered acts of war
- Conducting your own initial forensic discovery — discuss incident response requirements before you have an actual event
Plan, Prep, and Execute
Businesses with cyber security insurance need to ensure that their coverage is sufficient and addresses their most significant risks, as well as the clients they serve. There are two main types of insurance: first-party coverage and third-party coverage. While first-party coverage covers losses suffered directly by the insured, third-party coverage extends to losses suffered by others with a relationship to the insured. Coverage is never 100% comprehensive, and the following costs may not be covered by your policy:
- Downtime/business interruption resulting in loss of sales and profitability.
- Costs to improve technology systems, such as new hardware and software, upgrades, and security hardening for systems or applications.
- Third-party or misconfiguration errors, such as a breach arising from cloud misconfiguration or an administrative issue configuring cloud-hosted web services
Best Practices to Avoid a No-Go on Insurance
If you’re exploring cyber insurance, be prepared to provide lots of details about your business, who your customers are, and your established policies and procedures. Determine your risk with full transparency, set a baseline, and conduct a thorough evaluation of the policies available and what exactly they cover.
Industry Leading Cyber Security at Mindcore
Not all insurance plans are created equal, and organizations need to understand each aspect of their coverage to ensure it matches their business needs. Organizations without internal IT security teams may be more vulnerable to sophisticated cyber threats, and they will likely need additional guidance and tools to build and manage a strong cyber security program.
While we can’t guarantee that you won’t have challenges obtaining coverage along the way, Mindcore provides businesses across New Jersey and Florida with high-quality cyber security solutions to exceed an insurance provider’s expectations. Contact us today for more information about our services or to schedule a consultation with a member of our team.
