December 9, 2021

Cybersecurity Insurance: Higher Cost – Less Coverage

Cybersecurity insurance companies are experiencing record payouts, increasing from $145,000 in 2019 to $358,000 in 2020 (per Fitch ratings), a rise of over 247% in just one year. Not only is the number of ransomware attacks increasing, but one attack on a significant supply chain can lead to hundreds of downstream attacks on organizations. Thus, cyber insurance providers seek to recoup those payments through a combination of higher premiums and less coverage.

Confirm your insurance covers the basics

As demand for cyber insurance increases, the number of providers is decreasing. Combined with paying higher losses, cyber insurance providers are issuing new policies and renewals with higher premiums and, in many cases, with less coverage. It is up to you to do your due diligence on cyber insurance to understand the cyber policy coverage. When reviewing a plan, you need to evaluate coverage for the basics:

• Data recovery, including paying outside consultants to help you fix a problem and gain control of the issue 
• Repairs to your hardware or software systems 
• Ransomware payments
• Costs of notifying vendors, citizens, and or other entities about the loss 
• Credit monitoring services and identity theft protection for impacted citizens.

In addition to the above, if confidential information is released, does the cyber policy cover any resulting litigation from privacy lawsuits brought by citizens or employees who allege that you were responsible for the data loss? Does the policy cover claims that assert negligence on your part? These claims can add to the total loss from the cyber-attack.  

Make sure you can choose your incident response vendor 

Some cyber insurance vendors dictate which companies you must use for incident response to control payout costs should an attack occur. It could leave you without the ability to use a trusted and approved vendor partner that you were planning to use. Some policies deny coverage if you go with the vendor of your choice, and others reduce their level of benefits if you “go out of network” like you might when choosing which doctor to see. 

Ten critical questions to ask for renewing or choosing a cyber insurance vendor

1. How do we notify you of an attack? Is there a time limit?
2. If a ransomware attack is determined to be a nation-state attack, are we covered?
3. Are there any instances where our organization is not covered? (Since phishing is 90% of the cause for most incidents, not every policy covers it or fully covers it.)
4. If we get exploited due to a security failure of an integrated 3rd party, are we covered (i.e., SolarWinds)?
5. If we get exploited as the result of an unpatched system, are we covered?
6. Are we covered if we get exploited due to a zero-day vulnerability in one of our software applications?
7. Are there any geographical limitations or restrictions to the coverage?
8. Are there any technical limitations or restrictions on the coverage? (e.g., breach of phone systems, cameras, security systems?)
9. What minimally acceptable level of security do you expect the organization to have, and what is deemed sufficient proof of those controls?
10. Are we allowed to select our vendor for resolution? Are there any pre-approval requirements to use our vendor(s)?

Taking a few steps to increase your cybersecurity posture can help reduce your insurance costs.  

Furthermore, having a business continuity plan in place is critical to implement should an attack occur. Contact Dewpoint to help you identify and resolve your cybersecurity vulnerabilities to save money.