Since 2021, there’s been an 81% increase in the number of cybercrimes reported to the FBI while the amount of losses nearly doubled, from $3.5 billion to $6.9 billion.1
Of course, cyber insurance underwriters have taken notice: Stung by their own losses, availability of coverage has shrunk and premiums have spiked — insurers are limiting the amount of coverage available, while premiums have more than tripled in 2022.
In addition, deductibles in certain risk classes will see negotiations over deductibles begin at $2 million.
Insureds should also expect more underwriting scrutiny and zero tolerance for poor risks. Underwriters will decline or not renew policies for organizations that lack a certain baseline level of network security protection.
How to become a better risk
For organizations to obtain coverage at a reasonable rate, they’ll need to show their security is top-notch. The following four steps have become essential for any organization — no matter its industry, success or even security track record — to be in the discussion for cyber coverage:
-
Implement multiple security controls. Before they’ll even give a quote, cyber insurers require multiple security controls:
- Multifactor authentication (MFA) for remote network access, email systems and privileged accounts.
- Remote desktop protocol (RDP) ports to be closed or placed behind a virtual private network protected by MFA.
- Privileged account access limited to those who need access
- One or more email filtration solutions such as a Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), or Domain-based Message Authentication, Reporting & Conformance (DMARC)
- Top antivirus protection
- Endpoint detection and response (EDR)
- At least one copy of backups stored offsite or in the cloud
- Emphasize employee training. It is mandatory to train employees, vendors and other key constituents to recognize email phishing and spoofing scams. Cyber criminals are sophisticated in their approaches, so employees need to be just as savvy. This step requires a top-down, organization-wide culture of security.
- Prepare an incident response plan. Insurers want to see an organization’s incident response plan (IRP), a comprehensive plan for addressing network security and privacy liability threats and attacks. The plan tells who to call, what to do and when to do so in case of a security breach. Insurers once considered an IRP nice to have, but now it’s expected.
- Practice tabletop exercises and simulated breaches. A cyber tabletop exercise is a simulated cybersecurity scenario exercise in which participants must respond to a hypothetical incident. Such exercises expose weak links in the incident response plan and in an organization’s communication framework. Once again, insurers are not only interested that insureds have a plan, but that they can show the plan will actually work.
Contact your HUB cyber expert for more information on your cyber risk.
1 U.S. Federal Bureau of Investigation, “FBI Releases the Internet Crime Complaint Center 2021 Internet Crime Report,” March 22, 2022.