Buying Cyber Insurance Gets Trickier as Attacks Proliferate, Costs Rise

Buying Cyber Insurance Gets Trickier as Attacks Proliferate, Costs Rise

img-blog-buying-cyber-insurance-gets-trickier-as-attacks-proliferate

Security chiefs should shop early for coverage and prepare for long questionnaires about their companies’ cyber defenses, industry professionals say

Insurers are scrutinizing prospective clients’ cybersecurity practices more closely than in past years, when underwriting was less strict.

For many businesses, obtaining or renewing cyber insurance has become expensive and arduous.

The price of cyber insurance has soared in the past year amid a rise in ransomware hacks and other cyberattacks. Given these realities, insurers are taking a harder line before renewing or granting new or additional coverage. They are asking for more in-depth information about companies’ cyber policies and procedures, and businesses that can’t satisfy this greater level of scrutiny could face higher premiums, be offered limited coverage or be refused coverage altogether, industry professionals said.

“Underwriting scrutiny has really tightened up over the past 18 months or so,” said Judith Selby, a partner in the New York office of Kennedys Law LLP.

In the second quarter, U.S. cyber-insurance prices increased 79% from a year earlier, after more than doubling in each of the preceding two quarters, according to the Global Insurance Market Index from professional-services firm Marsh & McLennan Cos.

Direct-written premiums for cyber coverage collected by the largest U.S. insurance carriers—the amounts insurers charge to clients, excluding premiums earned from acting as a reinsurer—climbed to $3.15 billion last year, up 92% from 2020, according to information submitted to the National Association of Insurance Commissioners, an industry watchdog, and compiled by ratings firms. Analysts attribute the increase primarily to higher rates, as opposed to insurers significantly expanding coverage limits.

Companies buying insurance are subject to tight scrutiny of internal cyber practices. This is different from past years, when carriers poured into the cyber market and competition produced less-stringent underwriting, Ms. Selby said.

Now, insurers aiming to limit their risk are putting corporate security chiefs through lengthy lists of questions about how they defend their companies, said Chris Castaldo, chief information security officer at Crossbeam Inc., a Philadelphia-based tech firm that helps companies find new business partners and customers.

“Prior to the questionnaires, you just gave them the coverage amount you wanted and the industry you were in, and that was it,” Mr. Castaldo said, referring to interactions with cyber insurers.

Discover Financial Services has a third party validate the robustness of its cybersecurity program, which helps with insurance, said CISO Shaun Khalfan. “Insurers want to have confidence that you are making the right investments and are building and maintaining a robust cybersecurity program,” Mr. Khalfan said.

Some of the questions insurers ask—and the level of detail required—can depend on the carrier, the size and type of the business seeking coverage and the amount of coverage desired.

Around 18 months ago, underwriters asked companies whether they required multifactor authentication when administrators accessed their system, said Tom Reagan, cyber practice leader in Marsh McLennan’s financial and professional products specialty practice. Today there’s an expectation that multifactor authentication is used throughout the organization, not just by administrators, he said.

Insurers also expect organizations to have planned and tested for a cyber event, such as through tabletop exercises, Mr. Reagan said: “They are not just interested in your smoke alarms, they want to hear about the fire drills.”

Carriers want to know what kind of backup plans companies have if a ransomware attack strikes and how those plans are tested. Insurers also diving deeper into whether a company’s networks are segregated to limit the spread of malware, Ms. Selby said. Other important criteria some insurers consider, she said, include endpoint protection, or monitoring and protecting devices against cyber threats, and incident-response exercises.

Some companies will need to work with more carriers than in the past to get the desired level of coverage because no single insurer wants to carry so much risk, Ms. Selby said.

Amid the changing landscape, Mr. Reagan recommended that companies start to re-evaluate their cyber-insurance needs as early as six months before a policy comes up for renewal. Starting earlier to identify possible holes allows businesses to make changes to their cyber defenses, if necessary, and gather information that carriers require, he said.