The Future of Cyber-Insurance Policy Security Requirements

As Cyber Attacks continue to escalate, more and more businesses are looking to Cyber Insurance Policies to protect against financial losses. As cyber insurance becomes more popular, we at Sher-Tech are seeing changes to the underwriting process.

Currently, when seeking an insurance policy, the insurance company will send you a questionnaire seeking information on your business and your security. Today, more and more technical expertise is required to respond to these requests. It looks easy, it is only 3 or 4 pages, and you think it will take about 15 minutes to complete. But after 2 weeks and 40 calls to your IT provider, you still aren’t done. The information is both very high level, such as policy requests, and very granular, such as the name of your Anti-Virus software. Making life even more interesting, they will ask Yes/No questions that do not have a Yes/No answer, such as “are all devices and software protected by MFA?”. What if only some are, or software but not devices? It is impossible to answer. Finally, after you send the information back, you receive a response stating that they will not be granting you a policy due to inadequate security. Nowhere will an insurance company tell you which security controls are mandatory for coverage. You will only find out after you have been denied a policy. Frustration abounds for both parties. You have wasted your time working on the questionnaire, the insurance company has lost a customer, and you still don’t have cyber-insurance.

To remedy this, cyber-insurance companies are moving away from the questionnaire format. Too many customers simply check “yes” to all the boxes, even when they have not fully implemented the security controls. Following a claim, the insurance company will audit the client. Requests for information, called “artifacts” in auditing terms, will be made detailing both the nature and timeline of the incident, but also to prove compliance. Failure at this point leads to a denied claim and possibly being dropped entirely.

Security expectations are only going to increase. Insurance companies are looking into requiring an audit before the policy is granted. This will involve stricter requirements for attestation, such as proof of compliance and penalties for misstatements. Additionally, insurance companies are applying risk scores to clients. The less secure they believe you to be, the higher your premium will be. Some insurance companies are even pushing for direct access to customer’s IT systems and the installation of monitoring software to monitor compliance. This is incredibly dangerous. The insurance company isn’t going to improve your security posture or prevent an incident. Rather, that access creates increased risk with a new attack vector into your system and increased attack surface.

The  future of Cyber-Insurance is one of increased expectations of Cybersecurity competency within organizations. Cybersecurity is no longer an afterthought but must be “baked-in” to every department within an organization. There are steps you can take to improve your organization’s Cybersecurity and improve both the insurance policy you obtain, and the premium you pay. First, go with a reputable insurance company. There are numerous brokers who can assist you with obtaining quotes from multiple companies with excellent reputations. Second, if you do grant IT access to your insurer, make sure it is very limited, and segregated from your system to limit the damage an intrusion can inflict. Lastly, obtain outside expert security advice to assist you in understanding your system, securing your system, obtaining cyber-insurance, and keeping your business running.

Cyber-insurance is an important loss-prevention control for organizations. The evolving threat environment means Cyber-insurance is only going to become more critical, more complicated, and more expensive.