In the second quarter of 2022, US cyber insurance prices surged 79% compared to a year earlier. And in the two quarters before it, cyber insurance prices more than doubled, according to the Global Insurance Marketing Index report from Marsh & McLennan, a professional-services firm.
But it’s not actually about prices anymore, said Manny Carmona, Cyber Liability Specialist at Wallace Welch & Willingham. Businesses are finding it a struggle to even get insured, even after proving some security measures.
“A few years back, you implement X, Y, and Z, and the insurance carrier provides the actual premium savings incurred from that implementation,” Carmona said.
But then came 2020 and Covid-19, and with it, remote working environments.
“People working from home certainly increased the cyber exposures of companies,” said Danny Stevens, Sr. Client Executive with OneDigital, an insurance, financial services, and HR consulting firm.
As a result of the proliferation of threats, such as ransomware attacks, he said cyber insurers have expanded their control requirements.
But some companies are slow to pick up the pace.
“Underwriters are swamped with submissions and there are a ton of companies that are hitting their desks with zero controls in place—I’m talking no MFA, no backups, zero best practices,” Carmona said.
Insurance carriers and underwriters are looking for easy placements, and it’s not an easy fit if a company doesn’t have the right cyber controls and security procedures in place.
When cyber insurers run external scans of the applicant’s network to find vulnerabilities, insurance broker Chris Beckman with RT Specialty said they’re looking for more.
“Most importantly are the answers provided on the cyber and ransomware applications,” he said.
While business continuity and disaster recovery plans are important, cyber insurers are looking for controls to be in place, Beckmann said.
Stevens and Beckmann came up with a list of what clients can take to their insurance carriers to show their cybersecurity efforts:
- Multi-factor authentication protection implemented for remote access including third-party access, cloud services, email (such as with Office 365), backups, privileged users, and critical applications
- A robust backup solution that is either disconnected (“air-gapped”) from your network or segregated from your network with multi-factor authentication access control. Backups should be tested frequently and be capable of restoring essential functions within 24 hours in the event of a widespread ransomware attack across your network.
- Next-Generation Antivirus protection including automated endpoint detection and response functionality on all endpoints. All detected endpoint activity should be monitored and investigated 24/7/365.
- An email filtering solution that pre-screens emails for potentially malicious attachments and links
- Regular critical patch implementation monthly
- Segregated end-of-life software
- Sender Policy Framework (SPF), used to authenticate sender; DomainKeys Identified Mail (DKIM) protects senders and recipients from phishing; or Domain-based Message Authentication protects from spoofing, Reporting & Conformance (DMARC) protects from unauthorized use)
- Proof of regular social engineering and phishing training
“Becoming more insurable allows a business to be accepted in stronger and more competitive cyber programs, which are the ones that generate the more economically feasible premiums,” Carmona said.
How 360 Advanced Helps
From SOC Reports, Penetration Testing, ISO 27001, and more, our cybersecurity and compliance assessments get you started on the most appropriate security program for your business security. While ransomware attackers are getting more aggressive every day, 360 Advanced actively reviews the latest threats to help you stay ahead of risks and better protect your assets. We tailor our methods to your company’s unique needs, always with an eye on your budget. Contact us today to schedule your assessment.