A lot is changing in the realm of cyber insurance, especially since the war in Ukraine began. We cannot speak for insurance agents or their policies with any degree of specificity, but we can share with you what we are seeing from the Managed Security Services Provider end of the equation.
The fear of state-sponsored Russian cyber actors hitting American industries and infrastructure has ignited a surge of interest in cyber coverage. We have been getting a lot of calls from businesses requesting help as they navigate the forms they must complete to get the coverage they seek. The cybersecurity evaluation forms are asking for explicit details. They want to know what actual security the company has in place protecting the business network. Many of these questions were never asked historically. Cyber insurance was much more like an umbrella policy, but it is not that way anymore, and it is taking some businesses by surprise. The reason why is clear: long before there was a war in Ukraine, insurance companies have been shelling big bucks out for companies they covered that had decided to spend their money on insurance rather than proper network security. And, just like health insurers have learned that it is risky to cover base jumpers, cyber insurers have now paid out enough ransomware ransom and network remediation costs that they are limiting strictly what kind of networks they are willing to cover.
Setting limits and expectations on coverage has been developing for a while. For sure, state-sponsored attacks by Russia are not new to the recent Ukraine invasion. Those have been going on for well over a decade. So when we are called in to help a business complete an assessment about what kind of network they have that the insurance company will be covering, our assessment usually includes the status of these elements of network security:
Is there multi-factor authentication on email accounts?
What kind of visibility and logging is in place (Security Information Management – “SIM”)?
What type of firewall is used?
Is there endpoint protection? What response (EDR) is there?
For healthcare, what medical device reporting (MDR) is there?
Is there and Incident Response Plan, and what is in it?
This is the level of security the insurance company expects to be in place before they will consider covering a business network with a cyber insurance plan. If you do not have it, they will not cover it.
Furthermore, even if they will cover your network, it is wise to read all the fine print of the policy before you sign. There can be a lot of exclusions contained in it. Policy holders who get hit as part of a coordinated attack by a nation-state might find out that a little war exclusion in their policy leaves them in the lurch.
So let the buyer beware. If you are seeking cyber insurance coverage, be aware that you will need to attend to the substantial security of your network before it can be covered anyway. Make sure you’re your network is under the watchful eye of experts who are keeping pace with the ever-changing threat landscape. Follow the adage that “an ounce of prevention is worth a pound of cure”, and invest accordingly. If you do want to invest in insurance coverage as an extra measure, and we completely agree that this is a wise thing to do, we also suggest you hire a lawyer to help you understand the details of your policy before you commit to it.
Protecting your business from cyber attack is essential. Most businesses (83%) do not survive a cyber attack if it happens – a statistic that owes to the fact that businesses do not generally prepare enough for it. Make sure that your business does not share in this statistic. The threat landscape is growing and it is not going away.