Risk Management
Cyber Insurance Market 2022: FAQs & Updates with iBynd
iBynd VP of Insurance, Tim Logan, and Trend Micro’s Cyber Risk Specialist Vince Kearns provide insights on cyber insurance must-haves, pricing, services, and how the industry is changing in the face of ransomware attacks, cryptocurrency, and emerging cybersecurity technologies.
Download Trend Micro's Guide to Cyber Insurance
While cyber insurance has been around for almost 20 years, it’s the first time the product has faced a hard market. The dramatic increase in costly, crippling attacks like SolarWinds and Colonial Pipelines has accelerated the demand for cyber insurance policies. In response, carriers continue to raise premiums, decrease policy limits, and mandate new security requirements. Unsurprisingly, questions asked on new applications have led to mass confusion for enterprises trying to secure or renew their cyber insurance policy.
To make sense of the rapidly changing market, I went right the source and reached out to Tim Logan, VP of Insurance at iBynd, an InsurTech broker that specialises in cyber insurance and is licenced in 50 states. Watch the full webinar or keep reading for a straightforward breakdown of cyber insurance requirements and trends to help you reduce cyber risk.
Q: What is cyber insurance and why is it important?
Q: What are the most important cyber insurance policy coverages for businesses?
Q: How is the price of a cyber insurance policy calculated?
Q: Do tools like security rating services play a part in a company’s policy pricing?
Q: What can businesses do to make themselves more attractive to carriers?
Q: How has cryptocurrency impacted ransomware policy coverage?
Q: What changes have you seen in the cyber insurance market during your decades of experience?
Q: What are your predictions for the cyber insurance industry?
Q: What is cyber insurance and why is it important?
Cyber insurance generally covers liability in the event of an attack (like ransomware) or breach where sensitive data may be compromised, whether that’s social security numbers, driver’s licence numbers, payment card information, and health records; anything that is identifiable to an individual.
Logan compared cyber insurance to a life preserver wherein when an event occurs, cyber insurance responds and helps keep the business afloat so they can get back on their feet, operating, and making money.
Q: What are the most important cyber insurance policy coverages for businesses?
- Notification and expense coverage
After customer data is compromised, there are state-regulated notification requirements an organisation must follow. Cyber insurance companies help navigate and handle the notifications and expenses associated with them such as hiring a forensics expert to identify the cause of the breach, monitoring the affected individuals’ credit score, and paying costs to restore stolen identities. - Business interruption
Remember when Kaseya, a US ransomware attack, led to Swedish supermarket chain, Coop, shutting down 800 stores? If Coop had business interruption coverage, it would help recoup (no pun intended) some or all the lost revenue. - Liability
In the event a group or individual decides to sue your business after a breach – for example, for negligence because you didn’t have the right security controls and procedures in place to stop sensitive data from being compromised — liability coverage would assist with legal expenses and/or settlement costs. - Funds transfer fraud
The FBI estimates that since 2016, business email compromise (BEC) attacks have caused $43B in losses. If an unsuspecting employee falls victim to a BEC scam, funds transfer fraud covers helps cover losses. - Ransom/extortion
If you find yourself being extorted after cybercriminals encrypt and potentially exfiltrate sensitive data, this coverage will help you attribute the threat actor, negotiate, and pay on the behalf of the business to regain access.
Q: How is the price of a cyber insurance policy calculated?
Cyber insurance policy premiums are calculated through a combination of objective and subjective factors.
The base price is typically determined by four objective factors:
- Type of business (financial, government, health care, etc.)
- Revenue of business
- Number of sensitive records the business is responsible for
- Location (some states and jurisdictions are more favourable toward victim awards, which can affect liability coverage and costs)
Next are the subjective factors: the underwriter can adjust prices depending on responses to their questions such as: does the business use multi-factor authentication (MFA)? Do they have a strong cyber incident response plan or partnership with a vendor? According to Logan, favourable answers can lead to discounts of up to 15%. But again, pricing will be primarily dependent on state regulations.
Q: Do tools like security rating services play a part in a company’s policy pricing?
Risk rating services, like Security Scorecard and Bitsight, are another subjective item that can influence an underwriter. For small and medium businesses (SMBs) especially, demonstrating a solid risk score can be seen as a positive by the insurance broker leading to further price reductions.
Q: What can businesses do to make themselves more attractive to carriers?
Before bringing out the dog and pony show, businesses need to have the basics outlined in the application: MFA, regularly tested offsite and onsite backups, a cyber incident response plan in place, etc.
Beyond these, carriers are looking for organisations that can demonstrate strong cybersecurity maturity. For example, a dedicated cybersecurity staff (depending on the business size) and/or a strong partnership with a cybersecurity company that provides additional services and products for continuous monitoring like EDR and XDR demonstrates cybersecurity maturity.
Q: How has cryptocurrency impacted ransomware policy coverage?
Cryptocurrency adds another layer of complexity during the ransom process, but it also shows the inherent value in having a cyber insurance policy.
Logan stated that whether a threat actor compromises sensitive data or shuts down your critical systems, there’s a 99% chance a ransom demand will be sent and 100% of the time it is asked to be paid in cryptocurrency.
Cybercriminals prefer cryptocurrency because it’s anonymous and hard to trace, but businesses don’t often have a couple hundred thousand dollars of Bitcoin sitting around. And even if you come up with the funds, you could be unknowingly breaking the law by sending money to an organisation or individual on a restricted OFAC list. Your carrier can help you navigate the entire ransom process, from verifying the threat, negotiating the payout, and ensuring the FBI won’t be knocking at your door at the next day.
Q: What changes have you seen in the cyber insurance market during your decades of experience?
Logan remembers back in 2006, there were only three underwriting questions: How many records do you maintain? Have you had any claims? Do you have a backup system that you test periodically?
A few more questions were added throughout the years, but Logan noted the biggest changes occurred when COVID-19 hit.
The global pandemic led to an influx in remote workers, leaving systems more vulnerable. Simultaneously, threat actors became more sophisticated and focused on BEC and ransomware, leading to an uptick in claims. As a result, insurance brokers began to scrutinise which types of business would be eligible for coverage, applications became increasingly robust, and prices rose significantly even for existing customers looking to renew their policy.
Q: What are your predictions for the cyber insurance industry?
Logan expects to policy rates and coverage restrictions to increase for the next six months before stabilisation will occur.
“When I say stabilisation, that means we’ll see it flatten out. I don’t believe we’re going to see us go back to a time where prices were dropping drastically,” clarified Logan.
However, as more states restrict organisations from paying ransom demands, that could lead to cost savings as ransom coverage will no longer be needed.
Next steps
Like auto or health insurance, cyber insurance is becoming a must-have to protect organisations from financial risk. Not only will coverage save you from drastic unplanned expenses, preparing to renew or obtain your policy will inherently force you to examine and potentially strengthen your cybersecurity maturity. To learn more about cyber insurance and cyber risk management, check out the following resources: