As if companies did not have enough to worry about in this pandemic, now they can add to their concerns increased costs for heightened internet security, one way or the other; either through implementing better security measures to protect against data breaches, or possibly paying a higher premium for cyber security insurance policies.
Cyber insurers, leery of security risks created by remote working and other effects of the coronavirus pandemic, are stepping up scrutiny of policyholders' security arrangements. These efforts could result in costlier policies, or even coverage denials for companies.
One thing that's become evident for those seeking cyber protection is that underwriters are asking a lot more questions, as remote working increases cyber risk and the more companies implementing this practice on an insurer's book of business, the greater the risk to the insurer that losses will exceed the premiums charged for the coverage. Overall, cyber coverage costs for insurers have been edging up, even before the pandemic. Direct loss ratios, which measure the percentage of income that insurance companies pay to claimants, for stand-alone cyber insurance policies rose to 47% in 2019 from 34% in 2018, according to data from regulatory filings compiled by Fitch Ratings*. In addition, the average ransom demand increased to about $225,000 in the first quarter of 2019 from the 2018 average of about $116,000. With these increased costs, insurers had already been looking at enhancing their understanding of cyber risks and coming up with better modeling techniques; nevertheless, the pandemic has caused insurers to step up their underwriting practices as well.
According to an article published in the WSJ, Stephen Viña, a senior vice president in Marsh & McLennan Co.'s cyber insurance brokering business stated that insurers are worried, for instance, that the use of home networks and personal equipment for company business could introduce cyber risks that might not have been a concern when policies were drawn up. Companies that had strict control over their offices may no longer be able to exert such control over home environments."We think that with more risk being covered, and maybe newer underwriters getting into the business that don't have that pricing expertise, that'll lead to more losses over time," he said.
As such, surveys that help assess risk and calculate premiums now seek more details about how companies plan to handle data breaches, ransomware incidents and other cyberattacks. Insurers are looking for proof from prospective customers of certain universal good practices, such as ensuring that remote access is properly secured, that operating systems are kept up to date with security patches, and that email servers are properly configured to guard against phishing attacks.
Some insurers may also want to see policyholders' business continuity plans, to ensure that they have been updated to take into account remote-working situations and don't rely on everyone being in the office. For example, one ransomware attack might infect thousands of computers in a company, but with a response plan that assumes every worker is in a central location (such as an office), this could be a relatively simple fix. However, with remote work, addressing all of the computers at various locations increases the cost of engineering tasks.
The insurance industry is now tasked with doing its own due diligence to discern the truth from answers on an application for coverage. In addition to possibly working with third-party companies that assess cyber risk, insurers may implement additional underwriting practices, including scanning public-facing elements of a prospective customer's network, such as the company's website or emails servers, looking for vulnerabilities.
Another reason that insurers are giving greater scrutiny to prospective risks is because of the far-reaching security and privacy laws at state, federal and international levels. The General Data Protection Regulation in Europe, and the California Consumer Privacy Act both include heavy penalties for data breaches, for instance, which has driven demand for coverage and created exposures for carriers.
A U.S. government-sponsored report published in March by the Cyberspace Solarium Commission criticized insurers, saying they had a poor understanding of cyber risk and that they weren't helping to improve risk management at companies.
The commission called for the creation of a federally funded program to help insurers understand and price risk, as well as certifications for cyber insurance products that meet minimum regulatory standards.
As such, insurers now often work proactively with customers to inform them of security vulnerabilities before a breach occurs, to avoid costly incident-response procedures. Information on security measures such as email configurations and vulnerabilities on servers can often be determined with a little technical know-how and access to the proper tools, but some underwriters go further.
In the same WSJ previously referenced, Caroline Thompson, head of underwriting at Pleasanton, Calif.-based insurer Cowbell Cyber Inc., said underwriters should demand access to granular technical details that hackers have been known to exploit, including cloud server security configurations and identity management processes, to get a better read on risk.
Refusing access to this information or not following standard security procedures could be grounds for a company being denied coverage, she said. "Underwriters should potentially decline coverages if security best practices, such as multi factor authentication, are not implemented," she said.
*According to Jim Auden, a managing director at Fitch, this data is incomplete compared with other insurance sectors and doesn't include elements such as reimbursements insurers got from their own insurance companies; however, it does provide a snapshot of overall trends.
This premium content is locked for FC&S Coverage Interpretation Subscribers
Enjoy unlimited access to the trusted solution for successful interpretation and analyses of complex insurance policies.
- Quality content from industry experts with over 60 years insurance experience, combined
- Customizable alerts of changes in relevant policies and trends
- Search and navigate Q&As to find answers to your specific questions
- Filter by article, discussion, analysis and more to find the exact information you’re looking for
- Continually updated to bring you the latest reports, trending topics, and coverage analysis
Already have an account? Sign In Now
For enterprise-wide or corporate access, please contact our Sales Department at 1-800-543-0874 or email [email protected]