Ransomware attacks are becoming alarmingly common, and the skyrocketing number of exposures is putting more and more organizations at risk—and the cyber insurance industry is taking note.
The rise in attacks even prompted the White House to urge U.S. businesses to implement security measures to better protect themselves. The White House suggested businesses consider adopting defensive security measures like those now required of federal agencies and other organizations that do business with the U.S. government.
The increasing amount and severity of cyber-attacks is taking a toll on the cyber insurance industry, leading to a slew of ever-changing insurance policies, tightening terms, rising premiums, and more difficulties for organizations trying to determine if a policy will pay out for a disruptive cyber event.
In response, insurance companies are implementing new requirements for minimum security standards like multifactor authentication, endpoint detection, Zero-Trust policies, and other technology and event-specific exclusions. Many of these requirements differ from one cyber insurance provider to another but are related to a common theme—reducing risks for insurers.
Why is this important? Because as ransomware and other breaches continue to increase, so do the risks for insurers. According to a 2020 survey from the New York’s Department of Financial Service (NYDFS), between early 2018 and late 2019, ransomware insurance claims increased by 180%, and the costs of those ransomware claims increased by 150%. When increases like this happen, consumers feel those costs in the form of higher premiums, more exclusions, and changing terms and limits—essentially reducing the risk on the insurers by putting more of the potential financial impact of ransomware attacks back onto your company.
As ransomware and related breaches continue to increase alongside insurance underwriter scrutiny and costs, how can the insurance industry better manage these risks? Can it streamline best practices across the nation, while continually managing risks and adapting to the ever-changing landscape of cyber threats?
Only time will tell, but the answer may very well be in a unified risk management framework, like what we’ve seen recently with the creation of NYDFS’s new Cyber Insurance Framework.
What is the NYDFS Cyber Insurance Framework?
The NYDFS Cyber Insurance Framework is designed to help the cyber insurance market—which is estimated to reach more than $20 billion in the next four years— adopt best practices to manage cyber risk.
The framework encourages insurers to establish a formal cyber insurance strategy with clear qualitative and quantitative goals for risk. The strategy should be directed and approved by senior management and the board of directors, or the appropriate governing body, and it should include a process for measuring progress against those targets. The framework outlines six core best practices that will help insurers mitigate their risk:
- Manage and Eliminate Exposure to Silent Cyber Insurance Risk - Sometimes an insurance policy will be worded in a way that covers cyber events, even if the policy doesn’t mention the word “cyber” or wasn’t intended to cover such events. Insurers should explicitly state in their policies whether they cover cyber events, and to affirmatively remove cyber coverage from insurance plans not intended to cover them. “Silent risk can be found in a variety of combined coverage policies and stand-alone non-cyber policies, including errors and omissions, burglary and theft, general liability and product liability insurance,” according to NYDFS. “Cyber risk likely has not been quantified or priced into these policies, which exposes insurers to unexpected losses.”
- Evaluate Systemic Risk - Insurers need to understand the wider systemic risks related to cybersecurity. Systemic risk is one that extends beyond a single customer, something that could impact multiple companies or even an entire industry all at once. This can be caused by self-propagating malware or trojan viruses that can rapidly spread to infect many computers at the same time, or when a single third-party company, for instance, a cloud storage provider, goes down. These kinds of events can lead to a deluge of cyber insurance claims from dozens or more companies at once, potentially inflicting serious losses on the insurer. Insurers must understand the critical third-party vendors used by their customers and model the effect of a catastrophic cyber event not only on a single customer but across their entire network of customers and third-party partners.
- Measure Risk - Insurers should have a data-driven, comprehensive plan for assessing the cyber risk of each customer. Insurers must do their due diligence by gaining a thorough understanding of a customer’s cybersecurity programs, including corporate governance and controls, vulnerability management, access controls, encryption, endpoint monitoring, boundary defenses, incident response planning, and third-party security policies. This information is crucial for the insurer to assess potential gaps and vulnerabilities in their customer’s cybersecurity.
- Educate Insurance Providers and Customers - Another best practice involves education about cybersecurity and cyber incident risk reduction, providing valuable information to the customers about the value of cybersecurity measures, as well as facilitation of those measures. Insurers can incentivize cybersecurity measure adoptions by offering policy pricing based on the effectiveness of the customer’s cybersecurity program, as well as discounts on cybersecurity services along with cybersecurity assessments and recommendations for closing gaps.
- Obtain Cybersecurity Expertise - Insurers that offer cyber insurance need appropriate expertise to properly understand and evaluate cyber risk. Insurers should recruit employees with cybersecurity experience and skills and commit to their training and development, supplemented as necessary with consultants or vendors.
- Require Notice to Law Enforcement - The final best practice includes a requirement that victims notify law enforcement, which is a component some cyber insurers already employ and is beneficial to both victim and insurer.
Employing a cyber-risk framework for your organization
Whether or not your organization has cyber insurance, is considering it, or hasn’t tackled it yet, you may feel inclined to wait and see what regulations happen for your specific industry or state. But as they say, the best defense is a good offense, so you should take a closer look at your cyber risks now. It’s better to be ahead of the regulations than it is to play catch-up, and you’ll need a lot of this important information if you’re moving ahead with a new cyber insurance policy, planning a renewal, or just making your own cybersecurity program stronger. And you may even discover some of your existing controls, policies, and processes are directly related to cyber risk analysis and management.
And if all of that seems too daunting for you or your business to handle on your own, contact us here at CBM. Our cybersecurity experts will not only make your business more secure, but we can also help find the right cyber insurance to fit your company.