The cybersecurity insurance market continues to evolve and there are some important developments for your consideration. In short, although cybersecurity insurance is an important component in your cybersecurity plan (e.g., mitigating costs), it is critical that you are aware of the following to analyze the needs of your entity.
As an example, over the last two years, supply chain and third-party vendors appear to be the primary target of increased direct attacks. More attacks translate to increased insurer payouts which ultimately results in insurers adapting the risk model for insurance coverage. In other words, premiums are rising rapidly and some insurers have even withdrawn coverage completely given the increased attacks, payouts, and unpredictable market.
For those carriers that remain in the cybersecurity market, an entity can expect increased premiums along with additional scrutiny and conditions associated with their application. For example, insurers are concentrating on the risk profile of each individual entity and requiring formal documentation to evaluate their cybersecurity program. The insurers are also requiring specific conditions prior to coverage such as multi-factor authentication, incident response planning, and endpoint detection and response solutions as part of the application. In short, the insurers want to know the entity’s full risk profile.
The insurers are also applying that extra scrutiny and documentation as a way to potentially deny coverage in the event of a cybersecurity incident. Thus, if a firm falsely certifies the extent of its cybersecurity program to the insurer, that can be the basis of a denial of coverage. Falsely certifying a cybersecurity program is also fraught with risk, as discussed prior, when complying with federal and state obligations.
One approach for insurance coverage and regulatory obligations is to adopt an information security architecture known as Zero Trust. A Zero Trust approach considers users, endpoints, software, and networks as potential threats and uses security protocols designed to limit the ability to move within systems to reach the most sensitive information. With that said, however, the important point is that an entity must review its cybersecurity program in detail, continue to adapt its posture, and plan for the future to protect the entity and customer as well as limiting liabilities (including regulatory), and mitigating the increased insurance premiums.