[ad_1]
If your business’s cyber insurance policy is due for renewal soon, be prepared: you could be faced with higher premiums, lower coverage limits, and a more in-depth review of your business’s cybersecurity protections.
In large part due to the recent increase in the number and severity of ransomware attacks and other cybercrime, insurers are tightening their underwriting standards for cyber insurance.
“The renewal application process is getting more and more stringent and onerous,†said Reid Putnam, vice president of property and risk at Indianapolis-based broker Gregory and Appel Insurance. “It’s been a real change from where we were a year ago. “
Putnam is president of the Indiana Security and Privacy Network, a volunteer-run nonprofit that focuses on the healthcare industry. He is also an advisor to the Indiana Executive Council on Cyber ​​Security, created by Governor Eric Holcomb in 2017.
Putnam said much of the change is due to the pandemic and the resulting work-from-home boom. When people started connecting to their employers’ networks remotely, criminals saw security holes they could exploit and cybercrimes, especially ransomware attacks, exploded.
The FBI’s Internet Crime Complaint Center received 2,474 ransomware incident reports last year, up from 2,047 in 2019 and 1,493 in 2018. The cumulative losses associated with these ransomware attacks totaled 29.2 million. dollars last year, up from $ 9 million in 2019 and $ 3.6 million in 2018.
And these ransomware incidents represent a small fraction of the 791,790 cybercrime reports made to the FBI last year, up from 467,361 in 2019.
The proliferation of cybercrime means that insurers face more cyber insurance claims.
Indianapolis attorney Mark Swearingen, who specializes in healthcare law and health information privacy at Hall Render Killian Heath and Lyman PC, said his law firm used to see a or two cyber incidents each month among its customers. Since the start of the pandemic, he said, the volume of incidents has doubled or tripled.
In response, Swearingen said, its clients whose cyber insurance policies must be renewed annually are seeing everything from increasing premiums to reducing coverage limits and increasing deductibles. Insurers also require clients to adopt certain policies and procedures.
It all started within the past three to six months, Swearingen said. “It’s a radical change.
Higher cost, lower coverage
Cyber ​​insurance can include a variety of coverages. A policy can cover the business costs associated with a data breach or cyber attack, such as data recovery, forensic investigations, customer communications, and lost business. It can also cover the cost of a ransomware payment or legal fees if a business is sued for a data breach or other incident.
According to the Council of Insurance Agents and Brokers’ Second Quarter Property and Business Risk Market Index, released last month, cyber insurance premiums increased an average of 25.5% in the last quarter, following a average increase of 18% in the first quarter and 11.1% in the fourth quarter of last year. In comparison, the average increase in premiums for all types of property and risk insurance combined was 8.3% during the second quarter.
Some individual carriers have increased their premiums even more. American International Group Inc., commonly known as AIG, said its cyber insurance rates rose nearly 40% in the second quarter compared to the same period a year earlier.
Putnam said some of its customers have seen their premiums increase by up to 100%.
In addition to increasing its premiums, AIG is also taking other steps.
“We continue to carefully reduce cyber limits and secure stricter terms and conditions to deal with growing trends in cyber loss, the growing threat associated with ransomware and the systemic nature of cyber risk.” , said Peter Zaffino, Chairman and CEO of AIG, in a final call for results. month.
In many cases, insurers are placing new requirements on what customers must do to even be eligible for cyber insurance.
“Are you insurable? That’s the big question now, â€said Ron Pelletier, founder and chief client officer of Indianapolis-based cybersecurity firm, Pondurance LLC. Insurers “are much more demanding as to whom they subscribe”.
Pondurance works with businesses both to reduce their risks online and to respond to incidents once they happen. Pondurance also works with insurers to help them understand the security risks their clients may face.
Better safety standards
Before purchasing or renewing a cyber insurance policy, insurers take a closer look at their clients’ Internet security practices and protections.
Some insurers require clients to strengthen their employee training and assessment programs. This can include not only training employees on security best practices, but also testing employees by sending fake emails and seeing how many people click on suspicious attachments or links.
“People continue to be our weakest link in all of this,†Putnam said.
He advises clients to perform tabletop exercises in which the company experiences a mock cyberattack and trains to respond.
A cybersecurity practice known as multi-factor authentication is also becoming a common requirement, Pelletier said. For example, a company can ask an employee to log into the IT system by entering their username and password, and then receive a unique code through a smartphone that must also be entered.
Insurers also want their cyber insurance clients to have strong security processes, Pelletier said. This may include policies on which employees have access to certain company information and processes to verify the legitimacy of a request for a change of password or a transfer of funds.
Policyholders may also be required to use technologies such as anti-virus software and endpoint detection and response systems, which may monitor and respond to unusual or unauthorized network activity.
Insurers are also starting to require their cyber insurance clients to include cyber incidents in their business continuity plans, just as they might for flood, fire, or other disasters.
“Insurers look at these things very closely, so they know who they’re insuring and what they’re insuring,†said Janet Ruiz, director of strategic communications at the New York-based Insurance Information Institute Inc.
Certain types of customers could be more exposed to cyber attacks, Ruiz said. If criminals are looking for personal information that they can steal, healthcare providers, financial companies, and colleges are common targets.
If criminals have a ransomware attack in mind, “they really go after everyone they think they can reach,” Ruiz said. “It’s really a wide range. “
Last month, Eskenazi Health shut down its data network and hijacked ambulances in response to what the hospital system called a “ransomware attack attempt.” Eskenazi later said some of its data was obtained and posted online, and employees, patients, contractors and vendors should monitor their bank and credit card statements for any signs of suspicious activity.
Nationwide, Georgia-based energy company Colonial Pipeline, Colorado-based meat producer JBS USA Holdings Inc., and the Washington, DC Police Department have also been victims of ransomware so far this year.
Ransomware payments
To tackle ransomware specifically, Ruiz said, some insurers are lowering their coverage limits for ransomware payments. Criminals who have violated a company’s system sometimes look for a victim’s insurance policy and tailor their ransomware claim to the victim’s coverage amount, Ruiz said. Therefore, insurers are reducing their ransomware coverage with the theory that lower payments will make ransomware less attractive to criminals.
Many criminals demand that ransomware payments be made in cryptocurrency in order to hide their identity. For this reason, said Ruiz, insurers are also pushing for stricter cryptocurrency regulations.
Since the components covered by cyber insurance – the internet, online data stores and the like – are relatively recent developments, they’ve only been around since the late 1990s or so, said Jim Goldman, CEO and co. -Founder of Trava Security Inc, based in Indianapolis.
But it is becoming a topic of increasing importance for all businesses, Goldman said.
Trava, a High Alpha company, helps clients assess and mitigate their cybersecurity risks. The company is also an insurance broker for cyber insurance companies, and it is working on developing its own digital insurance policy platform so that it can do its own underwriting.
Goldman said it is becoming more and more common for companies to require cyber insurance from their business partners. As of last year, he said, only 35% to 40% of small and medium-sized businesses had purchased cyber insurance. But he expects it to grow.
“More and more, regardless of the size of the company, it becomes a requirement for doing business,†Goldman said.
“Suddenly, companies have realized the fact. ‘Wow, that’s a real potential risk for us.’ “•
[ad_2]
