Since its origins in the mid-2000s, cyber insurance has become a staple for transferring financial risks arising from information technology assets and operations. The risk of loss from malware, unauthorized access, email compromise, ransomware, and other threats is difficult to quantify. For most of that period, cyber insurance was a relatively cheap and abundant way to insure against loss from these risks. That’s no longer the case. Huge hikes in premiums, reduced capacity, increased retentions, and constantly changing underwriting requirements are the game today. What you have today, you may not get next year.
“For the past two years, the cyber insurance market has been characterized by a high volume of claims, severe losses, climbing rates, reduced insurer appetite, and an increased focus on accumulation risks.”
–Marsh McLennan, 2022
Adding to the concern, Lloyds’new exclusionsfor state-backed cyber-attacks in standalone cyber policies are making buyers think twice. AXA dropped coverage for ransom payments in 2021. Beazley now has multiple addenda to its cyber applications covering details down to specific vulnerabilities (e.g., Log4j). So, if the policy is expensive, hard to get, and doesn’t cover significant risks like ransomware and state-backed actors – why buy it at all?
“We are therefore requiring that all standalone cyber-attack policies… must include… a suitable clause excluding liability for losses arising from any state-backed cyber-attack…”
Why buy it at all?
That’s a good question, and one echoing around risk managers’ offices throughout the world. By its very nature, cyber insurance can only lessen the impact of a major event. It does nothing to stop it. Yet thousands of CEOs think they are protected simply because they have cyber insurance. Nothing could be farther from the truth. Buying a cyber insurance policy for pre-breach services is no longer necessary, in fact it’s pointless. The offerings are typically limited and not very helpful. You can find a dozen vendors offering every imaginable service directly without the encumbrance of the insurer.
To make matters even more confusing, you may even need to hire your separate legal counsel in addition to the one provided by the cyber insurer just to make sure you are treated properly. The “tripartite relationship” among an insured, the legal counsel appointed under the policy, and the insurer can lead to conflicts and ethical dilemmas necessitating additional counsel for you, the insured. Consider that the legal counsel appointed by the insurer may have more loyalty to the insurer than to you. They may have hundreds of cases at stake. Be mindful of potential conflicts and carefully review any coverage letters or reservation of rights letters.
Remember that insurers have cut deals with their “panel” legal counsel providers. That means they have negotiated reduced rates. Law firms may respond by using their least expensive resources. Make sure the legal counsel provided by the insurer is not a junior associate. Your entire organization is at stake!
Be aware that you may also need to hire a separate incident response firm to make sure the one provided by the insurance company properly eradicated the threat from your computing environment. One method insurers have used to cut response costs is to hire cheaper, less experienced responders. It may be cheaper by the hour, but the quality and timeliness of the service suffers significantly. (The jury is still out on whether these low-cost providers actually save the insurer any money.) PacketWatchhas had to ride shotgun and clean up problems from insurer-provided response firms on multiple occasions. Pro tip: Avoid hiring response firms that derive most of their revenue from participating in insurance panels. Guess where their loyalties lie.
The Shift to Proactive and Preventative
Given all of the problems noted above, astute organizations are shifting more spend to proactive and preventative services. By engaging amanaged detection and response(MDR) provider to proactively hunt for threats and engaging in common sense security hygiene practices (MFA, patching, email filtering, etc.) the risk of a significant incident is greatly diminished. Some organizations are forgoing traditional cyber insurance and self-insuring at least some of the risk. They are setting up their own retainers with specialized legal counsel and incident response firms likePacketWatch. They are rehearsing incident response plans, testing protective tools, and pre-deploying response tools — ready to roll in the event of any type of incident. Compare that to waiting for your insurer to appoint someone you may not want to use anyway.
Refine Your Strategy
With tumultuous conditions in the cyber insurance markets and the problems noted above, now is the perfect time to revisit how you use cyber insurance. Ask yourself, why am I paying for this and what do I get out of it anyway? You may just find that the strategy you’ve used over the past several years is no longer workable and needs to be refined. You may find that shifting more spend to proactive and preventative services is a better strategy for your organization. If you’d like to discuss the specifics of how a more proactive and preventative strategy can benefit your organization, call us today. We don’t sell insurance and we are not attorneys, but we have cleaned up dozens of messes created by them. Our mission is to help you avoid similar problems.