How Your Organization Can Avoid Denial of Cyber Insurance Coverage
July 13, 2021
Technologies like widespread high-speed internet, cloud-based Software as a Service (SaaS) technologies, and collaboration tools like Zoom and Microsoft Teams allowed many businesses to adapt quickly when the pandemic hit. However other, often older technologies and architectures hamstrung organizations because they were originally designed to protect users who were now no longer physically in offices protected by firewalls. As a result, we saw what some have called a cyber pandemic that ran in parallel with the real one – a massive uptick in ransomware attacks, with the FBI reporting complaints about cybercrime jumping by 1 million over the prior year.
Insurance carriers are feeling the effects acutely. According to Fitch Ratings, the average paid loss for a standalone cyber claim jumped from $145,000 in 2019 to $358,000 in 2020. Cyber insurance profitability, as a result, has plummeted, forcing carriers to raise premiums and increase underwriting standards for companies that are up for renewal.
In the last few weeks, DGC spoke with many organizations that were denied cyber insurance renewal. Here are some first-hand situations that they experienced, and steps DGC’s IT Risk team recommends you can take to avoid this happening to you:
1. Enable multi-factor authentication so that an additional factor beyond username and password is required to access your company’s network resources.
2. Make sure your computers are up to date. Many of these insurance companies use data from third-party security analytics companies that can detect when employees on your network are browsing the web from computers with unsupported versions of Windows or the Chrome web browser.
3. Maintain an accurate asset inventory, including resources in the cloud, and periodically scan them for vulnerability and misconfigurations.
4. Have an incident response plan tested and vetted with various disaster recovery exercises, including tabletops, functional, and full-scale exercises.
5. Ensure you are backing up critical systems regularly and testing restores. Your backups should be protected against ransomware. A classic best practice rule for backups is the 3-2-1 rule: three copies of your data, on two different media, with one copy off-site.
6. Lastly, insurance carriers are increasingly asking if your organization is aligned to a security best practices framework, like the CIS Critical Security Controls, NIST Cybersecurity Framework, ISO 27001, or SOC 2, among others. Aligning to a framework gives you a library of best practices across multiple domains to measure your organization.
We recommend that if you are facing denial or non-renewal, start with a self-assessment using a leading framework. The exercise will identify numerous gaps which can then be prioritized based on each action’s ability to reduce your organization’s overall risk. Tackling these challenges proactively can help avoid or mitigate insurance surprises, or worse yet – a ransomware outbreak that could cripple your business.
If you need to submit a business interruption claim due to a cyberattack, managing the claim and calculating the amount of lost income is itself a formidable and complex task. It is critical that your claim is prepared and supported properly to ensure that you recover your losses timely. DGC has prepared a Business Interruption Insurance Claim Checklist that details the steps that should be taken when filing a claim.
As the COVID-19 pandemic draws to a close – at least in the United States – many companies have decided to make remote work permanent. However, many companies have not improved their security practices sufficiently to deal with this new normal and, in addition to experiencing an increased number of cyberattacks, they are getting denied when trying to renew their cyber insurance coverage.
Our guest blogs are written and produced by organizations within our membership. They are not intended to reflect the views nor opinions of the Greater Boston Chamber of Commerce.