Why it’s becoming harder to get cyber insurance
Insurance companies are setting more stringent requirements to obtain cyber insurance cover. We spoke to several to review their application questionnaires. Here is a summary of what’s changed and what you need to get cover.
When an insurance company wants to determine a reasonable price for a policy, in most cases they can look at years (or decades) of actuarial data.
The world of cyber risk however is changing so rapidly, insurance companies are being forced to react and respond in real-time.
Why cyber insurers have been paying out on ransomware
The rapid increase in ransomware attacks has driven demand for cyber insurance and ransomware policies.
Insurance companies initially favoured paying out over recovering internally from backups because it seemed like the less costly option.
If the ransom is set at $1m, the insurance company can pay $1m or, it can advise the business to refuse and recover from backups. The recovery may take several days or even weeks. That might mean the business claims $10m from its Business Interruption cover. Paying the $1m ransom seems like the cheaper option.
That makes sense if you look at each case in isolation. If you look at the entire system, however, it becomes clear that paying out on ransomware is a bad idea. It feeds a vicious cycle of more attacks leading to more pay outs… leading to yet more attacks. Insurance companies were starting to pay out far more than they could afford.
Changes to cyber insurance cover
Insurance companies have quickly realised that the situation isn’t sustainable. They responded by:
- Increasing the cost of cyber insurance cover
- Having more stringent assessments on a policy holder’s ability to recover without claiming
- Discouraging paying ransoms
If clients have very, very low controls, then we may not write coverage at all, but mostly what we’re doing is reducing the cover that we’re offering, so if clients do not meet the control level that we are looking for, then we will have to reduce our limit with respect to ransomware by half.
This isn’t unique to cyber insurance. Home insurance requires you to have locks on your doors and windows. Car insurance premiums are lower if you have alarms and an immobiliser.
We’ve spoken to several insurance companies about the changes they have made to their application requirements for cyber insurance.
Here are a few of the questions you can expect to answer in order to get a policy and minimise your premiums.
Questions from insurance companies for cyber insurance
Are your backups separate from your production data?
We’ve seen various phrasing for this question. For instance – “are backups kept offline or in a cloud service”. What the insurers want to know is, is it possible for an issue on your production systems to be transferred to your backups.
This is something that has caught-out lots of people. If you have a local appliance or are backing up between sites, sometimes organisations don’t segregate the backups from production data properly. You would always do so if you were sending backups off-site to a data centre or the cloud, and you should do the same on your own sites.
Are your backups encrypted?
Whether they’re on a removeable media like tape or in a remote data centre somewhere, you don’t want them to be readable to anyone who finds (or steals) them.
There is a need to find a way to cover the risk, which is too large for the insurance industry itself.
Have you tested your recovery?
Insurers want to know if you’ve actually tested recovering. They may want evidence of the recovery. In the documentation we’ve seen from insurers, tests must have been in the last quarter, 6 months, or year.
Testing and exercising is often put-off when other high-priority projects happen. Annual testing at a minimum is now going to be a requirement for cyber insurance policies.
Do you have a Business Continuity Plan / Disaster Recovery Plan / Cyber Incident Response Plan?
This doesn’t necessarily mean tomes of documentation. Plans should always be appropriate to the organisation they’re for. Smaller, less complex organisations don’t need overly complicated plans. In fact, short, clear and concise plans are better.
Having a plan means that you’ve actually considered and documented how you respond to an incident and how you would recover and keep the business going. It’s not good enough to fly by the seat of your pants and work it out as it happens.
We have also seen questions asking for your specific Recovery Time Objectives and how long it would take for you to recover from an incident.
In the last X years – have you had a ransomware attack / notified customers about a data breach / had an outage longer than 8 hours?
Insurers will be checking on your history and record of attacks and outages to see if you are a sensible bet to insure. If you have a track record of attacks, breaches and outages it will be harder and more expensive to find cover.
What is your annual budget for IT / Cyber?
Throwing money at your cyber defences doesn’t guarantee you’re well protected but we assume insurance companies will use this answer as a simple sanity-check to see if IT and cyber is being adequately resourced.
We are underwriting differently to the different threats. We are doing a lot more questioning around what’s the culture of the firm? What’s your attitude towards cyber security? How much training do you do?
How quickly do you deploy critical updates? / Do you use any software beyond end of life?
Staying up to date with software and patches is one of the fundamentals of good cyber security. You don’t need a big budget to do this well, you just need to have the process in place and the discipline to stay on top of updates.
In the questionnaires we’ve seen, options range from 24 hours up to 1 month.
What cloud services do you use that are essential to your operations?
Your supply chain is critical for you to deliver your services. As cloud adoption has increased, we have all become increasingly reliant on key cloud services like Microsoft 365, accounting, CRM and ERP systems.
We’ve not yet seen detailed questions about the resiliency of your systems in these cloud services but expect more detailed investigation here in future.
How often to you audit the security of your cloud and other service providers?
Your ability to influence suppliers like cloud providers or service providers is less than the control you have over your internal systems. But, if your suppliers can’t meet your needs, you can take your business elsewhere.
It is important that you know how these suppliers operate and treat your data. Insurers expect you to audit your suppliers at least annually or every 6 months.
Quotes from: Cyber insurers recoil as ransomware attacks ‘skyrocket’