Cybercrime isn’t going anywhere, so waiting for a change in the weather is not a viable strategy. The fact is, any business that uses a computer is vulnerable, whether or not you store sensitive data. Now’s the time to match cyber insurance coverage to your cyber risk.
Your path to a cyber policy
Take some advice from Josh MacDonald, Chief Underwriting Officer at Elpha Secure, as you start to navigate your insurance options. Here, Josh walks us through key coverage aspects, smart timesavers, and pitfalls to avoid along the way.
Q: What problems might you face when purchasing cyber insurance?
A: Well, the first hurdle is to determine your course of action. Given that cyber insurance is a relatively new business coverage (and evolving by the day), it can be difficult to know how to start and where to go.
There are two avenues for business owners: you can get insurance coverage directly from an insurance carrier, or you can choose to work with an insurance broker. For relatively straightforward coverage (think car insurance or renters insurance), you’ll find plenty of options online that will deliver a policy with the click of a button. However, when it comes to cyber insurance, I’d think twice about proceeding on your own. There are many business variables to consider with cyber, and it can be confusing — even risky — to make the decision without understanding those details.
As cyber risk has grown, and cyber losses have impacted insurance carriers, coverage limits and other details have shifted.
In almost every case, I’d recommend working with a cybersecurity insurance broker, who will have kept up with the changing cyber risk and cyber coverage landscape, so you’re more likely to find a policy that aligns with where your business is today. Of course, you’ll need to provide your broker with some key information that highlights your cyber risks so they can narrow down your best options.
Q: You mention options — just how many types of cyber policies are out there?
A: The most basic cyber coverage is what you’d find in a business owner policy (BOP), which is the kind of coverage you could get directly from an insurance company.
If you have a BOP policy, you might have cyber insurance without even realizing it: for the last five years or so, these BOPs have included very basic cyber coverage with small limits. Unfortunately, this limited cyber coverage won’t do your business much good.
As cyber risk has grown, and cyber losses have impacted insurance carriers, coverage limits and other details have shifted. Today, you’ll find the terms of cyber policies range widely, and you need to pay extremely close attention to the details to be sure you’re getting what you need.
Whenever you’re considering cyber insurance, look for specific features that offer appropriate coverage for your business. Everything from your revenue to the size of your staff to the nature of the records you keep will determine what “appropriate” coverage looks like for you.
Getting the formula right from the very start will be an enormous help to your business if a cyber incident were to corrupt your data, force downtime, or interrupt your daily operations in any number of ways.
Q: What features in a cyber policy are most important to consider?
A: Certain cyber coverages can be found in most cyber policies — Business Interruption, Incident Response Expenses, ransomware loss, and so on. These coverages are important, but they’re not always enough. When it comes down to it, your policy should reflect what you need to recover from an incident, not necessarily what’s standard.
Let’s take, for example, a manufacturing business. Given the nature of the operation, the company doesn’t deal with much credit card or personally identifiable information (PII), so coverage that responds to data compromise might not be a top priority. However, if the company’s system was hit with a DDoS attack that brought operations to standstill even for a few days, the consequences could be severe — that’s when they’d count on their business interruption coverage.
In the end, all industries have their own risks, and all insurance carriers have their own policy agreements. Industry lingo can be a barrier, but so can an incomplete understanding of your business risk. Your broker can help on both fronts.
Q: On that note, how does risk management factor into cyber insurance?
A: The two are really becoming inseparable. There are now strict underwriting requirements in place that can make it more difficult to qualify for cyber coverage unless you’ve attended to your cyber risk. And in many cases, cyber insurance cost is directly tied to your cyber posture.
Requirements will vary according to company size and industry, but one universal concern among insurers is how resilient a business would be in the face of a ransomware attack. After all, a robust defense will help limit the loss.
For businesses seeking cyber coverage, it’s time to adopt security measures like offsite backups, multi-factor authentication (MFA) for remote access, endpoint detection and response tools, and an aggressive patch management policy (just to name a few). The list will change according to each case, so there’s no real way to know what’s optional versus what’s required to qualify. This is another opportunity to tap into your cyber broker’s expertise.
In 2022, almost every business has cyber exposure. If you assume your risk is low, you could be in for a big surprise.
Not only can your broker speak to what underwriters are looking for, they can help equip you with the tools you need to qualify — and to renew your policy when the time comes. As I mentioned before, cyber risk is changing by the day, and that means requirements could change during the course of your policy.
Many companies are getting notices from their insurance carriers stating their policies aren’t being renewed, or that they’ll receive much less coverage than they had before. Whether it’s poor cyber hygiene or the changing appetite of the insurance carrier that’s to blame, it can make for an unpleasant surprise at renewal time. A cyber broker will alert you to changing requirements, cybersecurity gaps, and the general cyber insurance landscape, so you can make any adjustments you need before your renewal date.
Q: What are the steps to choosing the right cyber policy?
A: The first one is pretty straightforward: understand why you need cyber insurance. That might seem obvious, but it can involve some research and reflection. In 2022, almost every business has cyber exposure. If you assume your risk is low, you could be in for a big surprise.
There’s been an undeniable uptick in cybercrime during the pandemic. An FBI Internet Crime Center (IC3) report shows that a record-breaking 791,790 cybercrime complaints were received in 2020. Add to that the rising costs of remediating a cyber attack, and you’ve got a recipe for widespread financial fallout.
When you understand what you need to be insurable, you’ve got a good head start.
So, the next step is to discover what your exposures are. This will be difficult for you to do on your own, since you likely haven't considered the details that an insurance company would be most interested in. For instance, what kind of information do you store, and how much do you have? What are your enterprise assets, and how (and how often) do you conduct transactions online?
The answers to these questions can determine specific requirements. To give an example, you may find you need more Dependent Business Interruption Coverage (where a third-party’s system has been compromised, disrupting your own operations) than first-party Business Interruption Coverage, which responds when your business is directly attacked. Or the other way around. Not sure how to handle that decision? You’re not alone.
This is another situation where your broker can clarify and expedite the process. Once they know your exposures, they can balance limits for your business with an appropriate deductible (and of course, the final premium price) to find a good insurance carrier match.
Q: Alright, so you’ve defined your needs, reduced your risk, and applied for cyber insurance. How long will it take to get covered?
A: When you understand what you need to be insurable, you’ve got a good head start. Assuming you already have the cybersecurity tools in place, and you’ve engaged a broker to get a quote on your behalf, you can get a quote and bind the policy the same day. If you don’t have the tools in place, it can take a significant amount of time — weeks, or even months — to implement the required tools, qualify for coverage, and receive the policy.
Also, remember that quotes don’t last forever. Once the work is underway, be committed to buying the policy; if the quote expires, you’ll need a new quote (and there’s no guarantee it will be the same as the first).
Finding a proactive partner
When you’re ready to compare cyber coverage, think about what else the carrier is providing to help you manage your risk. Are they looking out for you over the course of your policy? What will they do for you when you have a claim?
If cyber risk management is prevention, cyber insurance is reaction and recovery — and that calls for a reliable action plan. Financial support is crucial, but there are other elements that will help you recover from a cyber incident, too.
Ask about the incident response resources that come with your policy, since these can drastically reduce the time, effort, stress, and financial loss that a major cyber incident can bring. When you’re confident you have a strong team in your corner, you’ll rest easier knowing that you can make it through the worst-case scenario.
Looking for more expert takes on cyber insurance and cyber risk? Read what our VP of Claims has to say about this new age of cyber extortion.