Cyber insurers get serious about threat mitigation
Cyber insurers now thoroughly examine a potential policyholder's security strategy, threat mitigation and incident response plans.
Cyber insurance carriers becoming smarter about online-threat mitigation and taking such measures into considering when they set policy rates, according to a panel of cyber coverage experts that spoke during the recent ACC Foundation Virtual Cybersecurity Summit.
Particularly as online traffic and the need for digital business tools swelled during the COVID-19 pandemic, cyber insurance has become critical for businesses large and small. But now, before cyber insurers write a policy, they thoroughly examine a potential policyholder’s cybersecurity strategy, threat mitigation, and incident response plans.
Cybersecurity threats increase
While there was plenty of competition in the early days of the cyber insurance market, risks and coverages were not very well understood, said James Steel, director and counsel at American Express Co. in New York.
In-house counsel now need to work with their information security teams to map out how they respond to incidents in order to illustrate to insurance providers how they would handle a potential attack. They also need to look at how secure their third-party vendors are, the panelists advised.
Securing cyber coverage is “a lot tougher now,” Steel said. “Underwriters are looking much more carefully at what you’re doing in-house to make it an attractive risk.”
The current environment also factors in greater ransom demands and increased regulation such as the California Consumer Privacy Act and the European Union’s General Data Protection Regulation. This means cyber insurance underwriters are asking tougher questions.
“All of these risks and losses are adding to the insurance companies asking, ‘What exactly are we covering here?’” said David Navetta, a partner at Cooley in Denver.
Stephen Liverpool, general counsel of Raymond James Bank in St. Petersburg, Fla., said underwriters have become more sophisticated than in years past, and are asking more pointed questions about an organizations’ cybersecurity responses and infrastructure.
“I’ve found that putting some time and effort into how you present your organization’s risks and controls is helpful in having those conversations with the underwriters,” Liverpool said.
How to prepare
The insurance brokerage and consultancy Woodruff Sawyer suggests that businesses follow these steps to prepare for the cyber insurance underwriting process:
- Get your teams ready. When it comes to preparing for the necessary and relevant topics and questions, you’ll need the input from experts on various teams—compliance, legal, information security, and so on.
- Gather the information. Insurers are looking for specific information around your current enterprise information security practices and protections.
- Review current controls and policies. Do you have best practices in place that the underwriters will want to see?
- Address any deficiencies and vulnerabilities. Keep in mind that insurers are using similar tools, such as threat intelligence reports, as part of their underwriting process to monitor and scan a company’s networks for vulnerabilities.
- Highlight improvements. Articulate clearly to the underwriters the investments and improvements you are making in cyber risk mitigation. Details and transparency matter here and can make or break the outcome.
To reassure underwriters on the level of risk they would be taking on by issuing a cybersecurity policy, in-house counsel also should be evaluating their third-party vendors.
“You should be checking all of your third-parties and ensuring they have coverage, whether it is through your procurement contracts or through your third-party vetting,” said Audrey Jean, privacy officer and senior associate general counsel at AARP in Washington, D.C.
From the perspective of an in-house lawyer, Steel said it is critical to go through the cyber insurance policy and then map out all of the touchpoints of the insurance carrier, detailing what the coverages are and what the exclusions are.
“That way you know how the insurance maps to your internal processes,” Steel said. “If you haven’t given some time to think about what to do in those situations in advance it can be very challenging to do on the fly.”
Keep reading…