Cyber insurance is a must for companies today, but not all policies are created equal. This is, in part, because it’s difficult to underwrite risk accurately. From the lack of data to the constantly evolving tactics of hackers, there are a lot of moving pieces.
Andres Franzetti, Co-Founder and CEO of Risk Cooperative, a national insurance brokerage, provided additional insight into the changing climate of cyber risk in our recent webinar. While cyber insurance coverage grew by 22% in 2019, loss ratios grew to 73% in 2020 — the highest they’d been in six years. To protect their pockets, insurance companies are both limiting coverage and exiting from non-profitable markets.
Insurance companies are also increasing rates by up to 100%, all while paring down covered events. We’ll look at what you should know about the growing list of exclusions and what it means for your cyber protection.
What’s Not Covered in Standard Cyber Insurance?
Every cyber insurance policy will have its own terms, but common exclusions typically include the following:
- Third-party providers: Suppliers and vendors of any kind can create huge gaps for their clients. If there’s a data breach due to their protocols, any resulting ramifications to your business is unlikely to be covered by your insurance.
- Lost portable devices: Insurance companies will not take responsibility for lost or stolen portable electronics. (Some companies will modify this policy if these devices are encrypted.)
- War, invasion, or terrorism: Any damage from government-sponsored groups or ideological origins may be excluded from the policy.
- Security maintenance failures: The company must meet and maintain minimum security standards to have an insurance claim approved.
By definition, cyber issues overlap with a variety of insurance categories. While this may sound like coverage from different policies, the reality is that it creates gaps in any organization. A robust cyber policy can mitigate most potential loss scenarios.
How to Redefine Your Cyber Protection Plan
Decision-makers at insurance companies are putting a high priority on setting security standards for every customer — so there’s no question about what role the client plays in protecting their data. While the debate rages on about exactly what that means for each company, it boils down to enforcing stronger security controls.
Precautions like two-factor authorization (2FA) and encryption aren’t for conglomerates anymore; they’re for every business with a vested stake in continuing its operations. When underwriters see this technology in place before writing the policy, the policy is more likely to cover what the company needs it to cover.
Cyber insurance plans go beyond financial risk transfer, so cyber policies can provide a range of proactive and risk mitigation services such as training, workshops, and more. Integration with Managed Security Services Providers (MSSPs) is another component.
Failing to take cyber security seriously — particularly when you factor in cyber insurance exclusions — is an open invitation to financial devastation. The best way for a company to respond is to be aware of their policy and what they can do to flesh out their own security standards. Download this Minimum Cybersecurity Checklist from Risk Cooperative to see where your organization currently stands.
The good news is the right MSSP can help a company assess their current program, implement more comprehensive security controls, and monitor and maintain the system from there. This is how companies of all sizes can adopt a more holistic plan, one that minimizes the odds they'll ever need to file a claim in the first place. Take our short Cyber Hygiene Quiz for an assessment of your company’s cyber posture.