New Challenges in Getting (and keeping) Cyber Insurance

Cyber risk has increased dramatically for the small and mid-sized business community since 2020.  With the increased efforts of state-based hackers, combined with the higher risk of more work being done at-home and outside corporate firewalls, Cyber risk for companies today is at an all-time high.  

As a result, there’s been quite a bit of change in the cyber insurance marketplace over the last several months.  Claims have increased significantly in both severity and frequency in the last 2 years, and carriers are responding to this loss development by reducing the amount or breadth of coverage they’re offering, or withdrawing from offering cyber coverage altogether.  

Those cyber carriers that remain in the marketplace, do so with significantly increased underwriting scrutiny.  Although there are some smaller risks that can obtain online quotes with little underwriting information provided, this is becoming the exception, not the rule.  A company that is serious about having cyber coverage must also be equally serious about their risk controls.  

There is a general trend on certain security controls being required, and we’ve created a handy “cheat sheet” to highlight the most commonly required controls from many of the major cyber carriers. It’s not exhaustive, but if a company can favorably address each of these issues, chances are they will qualify for coverage, and potentially from more than one insurer.

Cyber Controls Checklist

1. Multi-factor authentication (MFA or 2FA) in active use for:
   a. Remote access to systems
   b. Access to cloud-based services
   c. Remote access to emails
   d. Privileged user accounts
   e. Access to backups

2. Endpoint Detection & Response (EDR) security in place.  Some carriers require this be with “preferred” vendors, including the following as of August 2021:

• Carbon Black
• Cisco AMP
• Crowdstrike
• SentinelOne
• Sophos Intercept
• Windows Defender Endpoint

3. Daily backups, air-gapped, encrypted, and tested. At a minimum, follow the 3-2-1 backup rule:

• 3 copies of data, on
• 2 different media, with 
• 1 copy off site.

4. Anti-phishing training for all personnel, no less than annually, but preferably quarterly, including phishing simulations
   
5. Incident response plan in place, including table top exercises
6. Timely installation of patches and management of end-of-life software.
7. Also important, but not as high-profile right now –  data encryption, anti-virus/firewall, DNS protection, and deletion of user accounts upon the user’s departure from the company.
8. Many carriers will scan an insured’s website and public-facing systems prior to quoting, those that do will decline to quote if they find open ports, insufficient website security, or unpatched vulnerabilities. 

As you can see, protecting your company from cyber risks has become a team effort, with management, IT personnel, and insurers all having a critical role to play.  If you want help in making sure your company can qualify for this critical coverage, contact us and talk to one of our cyber coverage experts on how you can maintain control over this ever increasing area of risk.

About the Author

Larry St. John is a 20+ year veteran of insurance and risk management for the construction and electronic security industries.

He can be reached at LStJohn@eclipseinsurance.com