Insurance Companies Are Changing Their Demands
The cyber liability insurance market is growing at a gigantic rate. In fact, by 2028 it’s expected to reach $28.445 Billion USD. This market stood at a revenue of $7.49 billion USD in the year 2021, and is anticipated to grow at a Compound Annual Growth Rate (CAGR) of 24.90%. That’s more than 6 times where it was in 2018. As more businesses take on a more digital approach and the increase in cyber-attacks grow too, insurance companies are changing as demand for their services increases. What they will cover and the requirements and obligations they expect of their clients will change (if they haven’t already) by your next renewal date.
WHAT IS CYBER LIABILITY INSURANCE?
If you’re reading this article because you are wondering what cyber liability insurance is, let alone what changes these insurance companies plan on implementing, then know first that if your business does not have insurance, you need it. Cyber liability insurance is intended to cover financial losses as a result of internet-based risks, most particularly cyber attacks. Cyber liability insurance does not cover the physical or even bodily harm that may directly pursue and be a result of a cyber attack.
For those businesses registering and acquiring cyber liability insurance now, focus on the requirements provided by your insurance company before signing your contract. If your insurance policy is up for renewal soon, check your new documents and make note of any changes prior to approving renewal. It is important to ensure you can comply with all of your obligations. In the event you file a claim after a cyber attack or a phishing scam, you may not be eligible for coverage if not all of these were met.
WHAT CHANGES MIGHT MY CYBER LIABILITY INSURANCE COMPANY INTRODUCE AT RENEWAL?
Although the exact changes will be determined by your state and implemented and notified to you by your broker or agent, there are a few common changes that we have noticed multiple companies choosing to implement come the time of renewal for most businesses.
1. Security Awareness Training
Cyber security training has quickly become a requirement for many insurance companies. Prior to the federal or state mandated Insurance Data Security Model Law which requires companies to be more precise in their requirements and not to make biases based on the size and intent of a business, most businesses were simply expected to conduct cybersecurity prevention to the best of their ability. There was little to no guidance regarding what steps an insurance company could demand. Often, intensive training was not expected. Many of the initial victims of businesses are the employees themselves. Having security awareness training that provides resources, information, and education on cyber security has become essential in preventing cyber-attacks.
2. Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA)
The use of two-factor authentication is extremely imperative when it comes to security. 2FA and MFA is an additional layer of security that requires users to enter a second password or code in order to authenticate themselves when logging into a network, system, website, or application. Basically, this means that if an initial password is guessed or recovered during a phishing scam, unauthorized users cannot access sensitive information because they do not have access to the device. which is where the second code or password is found.
Implementing 2FA/MFA into your cybersecurity plan has become a requirement for many industries. Cyber liability insurance companies are seeing the benefits and protections that result from adding this layer of security.
On the subject of passwords, further security measures such as password management applications have quickly been added to the list of requirements by cyber liability insurance companies. Refer to our article here to learn what a password manager is and why it is recommended.
3. Endpoint Detection and Response
As the face of the workplace moves to a more hybrid approach in a post-pandemic world, we can also expect requirements to include those working remotely to have high-security measures put in place as well. This should include using devices provided by the workplace that are preconfigured with Next Generation Antivirus or Deep Learning protection coupled with a Security Operations Center that is proactively monitoring for threats such as signs of a ransomware attack. This is commonly referred to as Endpoint Detection and Response or “EDR”.
4. Robust Backups
Just “having a backup” is no longer enough. Hackers have repeatedly taken advantage of access to backups to great effect. Often they will delete or encrypt backups prior to deleting the “working set” of data a company uses with the purpose of holding those backups for ransom.
Backups must be segregated from access except when needed. Those backups must be regularly tested, and offsite storage is a must. Often the best way to meet all those needs is a BCDR. These devices, and the software they employee, are complete drop in solutions that allow a business to backup all local servers offsite and in a way that allows secure backups and swift recovery times.
A similar approach must be applied to cloud hosted file systems. Files in the cloud without a backup are a click away from disappearing forever.
These items are only some of the requirements being added to insurance policies. As cybercriminals and the software used to attack businesses discover smarter ways to find vulnerabilities and reach targets – and as those designing new ways to protect our data and internet users around the globe keep evolving – so too will insurance companies need to adapt.
If you would like to learn more about the new requirements insurance companies are imposing, how you can ensure you meet each requirement, and, in addition, maximize your protection from cybercrime, reach out for a conversation with one of our Senior Technology Consultants today!