Happy New Year, and welcome to 2022! I think we can all agree that 2021 had some highs and some lows. It certainly taught us all how to be resilient, that’s for sure. Whether in work or personal life, we’ve all had to learn how to adapt. The cyberspace has had to flex and adapt as well, with breaches from Solarwinds, Colonial Pipeline, JBS, and Log4j. In-kind, cyber insurance companies have had to shift to adjust their models and offerings to match the industry’s activity.
Shawn Tuma, Cybersecurity and Data Privacy Attorney at Spencer Fane, LLP, shares his unique insights into the cyber insurance space on this week’s Reimagining Cyber podcast episode, “Cyber insurance in the wake of Log4jl.” (You may recall, Tuma shared his expertise in last August’s Reimagining Cyber episode, “So you’ve been hacked, now what?”). In this week’s episode, Shawn reflects on the recent changes he has witnessed firsthand with cyber liability insurance and shares his insights into best practices for organizations looking for or renewing cyber insurance.
Cyber Insurers Learn from Experience
“2021, I think, will be a watershed moment for when we look back for how the cyber insurance market changed,” Tuma says. Like all of us, cyber insurance carriers are learning from their experience over the past year. As demand for insurance has increased, supply has decreased, and parameters have tightened and heavily scrutinized.
“They [insurers] learn how to, to find better risk, right, better risk and reduce risk among the companies they are writing.”
To do that, insurance companies are scrutinizing the organizations they underwrite and insure. For example, some carriers are requiring that organizations have multi-factor authentication (MFA) before being insured.
“We are seeing the carrier's themselves, individually, learning from their own claims and their own data and saying, ‘Look, we know that if you do not have multi-factor authentication in your environment, you will get hit with a business e-mail compromise. Boom. Period. End of discussion,” Tuma says. Without MFA, organizations leave themselves open to password compromises and ransomware attacks.
Cyber Insurance Coverage Models Shift in Reaction to Changing Marketplace
As the level of ransomware attacks and breaches have increased, the costs associated with these events are driving sharp reactions from cyber insurance underwriters. Before underwriting policies, underwriters want to review information about basic exposures, information security controls, data backup procedures, regulatory compliance, and company policies and procedures. In addition, many carriers are now requiring supplemental applications documenting specific controls for ransomware, dependent business interruption recovery procedures, and operational technology networks.
One of the most surprising and concerning shifts in the last year has been insurers defining cyber warfare within their policies. Recently, Lloyds of London re-defined cyber warfare under their coverage models and is excluding cyberwar attacks between nation-states.
This is concerning, Tuma notes, because there are hackers that understand espionage and can make it look like one country attacked another, even though it was really a different one.
“Introducing something like this now, I think it creates a lot of leverage for the carriers. And it's going to be even more important to find the ones that are going to… really try to take care of their insurance,” Tuma says.
Cyber Insurance Policies - Too Big, Too Small, Just Right
Coverage models run the gamut, from those that will underwrite small mom-and-pop restaurants to multi-national conglomerates. There is a policy for everyone. When working with insurance providers be prepared to:
- Complete an application form: the larger the policy, the larger the form
- Provide a holistic picture:
- Insurers are looking to define the amount of risk they’re taking on. They’ll want to get a complete picture of any risks, and once applications have been completed, will want to work with your CISO to understand, from a technical perspective, how you’re mitigating risk.
- Answer questions like:
- Do you allow remote access?
- Do you have MFA?
- What is your backup and restore policy?
- Have you tested it to make sure it’s working correctly and configured properly?
As Tuma mentions, insurers will often reassess environments as there is no “one and done” policy.
“It is a continually evolving environment. And if you're just basing your decision on that questionnaire or that one-time assessment, then that's a that's a foolhardy approach.”
Cyber Insurance in the Wake of Log4j
Log4j took the cyber space by storm in mid-December 2021. The cyber community is still reeling and dealing with the fallout. Cyber insurance carriers have reacted proactively by sharing information about threat intelligence and technical information on how to protect organizations from threats.
This approach keeps insurers top-of-mind and reminds companies to reach out insurers now before it’s too late.
If 2021 had a mantra, it would be “Prepare for the worst, expect the best.” By remaining agile, flexible, and resilient, and preparing for cyber attacks by integrating cyber insurance into a strong cybersecurity strategy, strengthens organization's and makes them more cyber resilient in an ever-changing landscape.
Do you use cyber insurance? Are you seeing insurers raising the bar for expected security controls? Let’s crowdsource below.
To learn more:
- TechBeacon article: Cyber Insurance: Tighten your security controls or face exposure
- Blog: Cyber Insurance Providers are Demanding More to Earn Renewal
- Climb Webinar: Best Practices for the Renewal of Your Cyber Liability Insurance
- Blog/podcast: Insurers Going Digital: How a Robust Identity Access Management Solution Can Help
- Blog/podcast: What Do Insurance Customers Really Want in Terms of Security?
You can find the latest episode of Reimagining Cyber on Apple, Spotify, Soundcloud, Stitcher, Google Play. Give it a listen, and let me know what you think. Log in or register to comment below.
CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberRes.com.