Cyber insurance is becoming increasingly expensive, and exclusions seem to be expanding as cybercriminals become more and more audacious. If you are wondering what's going on in the world of cyber insurance lately, you've clicked on the right place.
We are excited to have Neel Desai as our next guest on A Little Privacy, Please!® Neel is an attorney who has devoted his career to the insurance field, focusing on cyber insurance. He is vice president, Cyber practice at Lockton Companies, a major player in cyber insurance. Today, Neel will be sharing his insights on cyber insurance.
Let me start by asking a question that many of my clients ask: Why is the cyber policy premium going up so dramatically?
The inability of carriers to understand what exposure for ransomware looks like led to cheap pricing. Once ransomware exploded about three to four years ago, not only did we see higher rates and demands, but ransomware as a service became a thing. You had various criminal gangs throughout the world utilizing malware that they obtained from alternative means to leverage ransomware across company networks. Carriers started paying out $5, $10 million limit claims on very minimally priced cyber insurance policies. We saw the market start trying to overcorrect, and pricing ballooned as a result of that.
It's been a combination of a lack of stricter underwriting standards, not much education, and a lack of actuarial data on what a ransomware or cyber claim costs. The resulting impact on the market was quite severe and is finally starting to stabilize some.
What questions should companies ask when they are evaluating cyber insurance policies?
There are several areas that you want to look at.
I think a lot of times, especially with our middle-market clients, there really isn't a full understanding of your cyber exposure. You want to make sure you are working with an advisor or broker that understands the cyber insurance landscape, shows you analytics, and tells you about what your industry sector is generally seeing from a claims severity and frequency standpoint.
The exclusions are expanding. You want to make sure that when you're going through your cyber renewal process or buying the product for the first time, you are fully aware of what the language in your policy means. What is covered? What is not covered? What triggers are required for things like the privacy or regulatory aspects of your policy to come into play? Ask those questions of your broker to make sure you are getting the information you need to make an informed decision for your company.
Is there anything companies can do to help lower their cyber insurance premiums?
Several controls are essentially table stakes to get into the cyber insurance door and have meaningful coverage.
Multifactor authentication is not just for your email or employees who remotely access the network but across your enterprise for things like privileged administrative accounts or client applications. Making sure you're secured by MFA is critically important to not only getting a lower premium but getting appropriate coverage.
Number two is an endpoint detection and response tool. Ensure that you are monitoring your endpoints appropriately, making sure that there is an eye and a lens on what's going on within your network consistently and that it's being monitored appropriately.
Number three is creating resiliency across the enterprise. Backing up all your data, your servers, making sure that in the event you do have a catastrophic ransomware event that you are able to recover appropriately, then you can avoid paying a ransom. That will help your insurer feel comfortable that your business interruption loss is going to be substantially less than it would be if you did not have the proper resiliency in place.
On top of that, providing good underwriting information is key. As privacy laws across the United States are starting to come back up and come into force in 2023, you want to make sure that not only are you staying in compliance with these privacy laws, but you are showing the insurance markets that you have teams in place not only from the cyber security technical standpoint but also from a legal compliance standpoint. Trying to articulate and tell a story for your company is key to your achieving a lower premium and getting coverage.
More and more state privacy laws are coming into play. How are new state privacy laws going to impact the cyber insurance space? Will a policy cover violations of state privacy law?
Carriers aren't quite certain yet. What will that exposure look like two or three years from now with laws in the books now? Their impact could be very wide-ranging, and we just don't know yet how it will look.
You mentioned class action cases for pixel tracking. Do pixel-tracking privacy claims potentially implicate cyber insurance?
We are early in these lawsuits and how they are developing, settled, and resolved. It's hard to say for sure that coverage is always going to be 100% extended, but with the programs contemplated, we are reporting all these claims to their cyber insurance carriers, and we expect coverage to extend.