Policy Holders Should Expect Cyber-Coverage Hurdles in 2022

Written By Haley Metteauer

Organizations experiencing cyber-attacks may face hurdles in obtaining cyber insurance coverage, including increased scrutiny of policyholders’ security arrangements and, consequently, increased insurance costs or denied application for coverage. In fact, according to a report released by a professional services firm, AON in 2021, the insurance market has imposed “sizeable rating increases” between 30–40% and, more than one in ten policies are seeing increases between 40–50%. 

Although these facts can be discouraging to organization leaders and business owners, there are some things that your organization can do to minimize the impacts on insurance AON encourages focusing on the following:

  • Cyber Security

    • Establish cybersecurity policies and procedures that can “demonstrate basic steps to reduce the risk and significantly decrease the impact of a threat actor is critical,” which requires:

      • proactive risk mitigation strategies including assessment, testing and practice improvement; and

      • incident response readiness, including conducting table-top exercises and proactively retaining key third-party incident response providers.

  • Ransomware & Business Interruption

    • Insurance companies are reviewing the risk of exposure for an attack by using “specific ransomware supplemental questionnaires and . . . scanning technology.” Companies should establish policies and procedures for ransomware-attack preparedness and focus on the following in the implementation and review process:

      • business continuity/disaster recovery planning,

      • privileged access controls,

      • multi-factor authentication,

      • proactive scanning/testing, and

      • overall incident response readiness.

  • Privacy

    • Demonstrate “privacy maturity” by establishing and routinely reviewing with counsel policies and procedures addressing the following:

      • third-party contracts,

      • online presence,

      • service providers,

      • supply chains and each business unit, and

      • the emerging legislative environments.

  • Cyber Security Culture

    • Ensure that all employees of your organization are “trained to work to combat malicious actors and reduce common vulnerabilities,” which demonstrates cyber incidents are “[n]o longer . . .  just an Admin/IT/Finance problem.”

  • Contracts

    • Review third party contracts for venders involved in critical supply chain and IT procedures or responses, as they “are at heightened risk for ‘single point of failure’ hacks impacting multiple organizations.”

  • Insurer Transparency and Communication

    • Review exclusions in your primary policy provisions and “maintain[] a clear and transparent relationship with both primary and excess insurers” to “better inform policy intent and improve claim outcomes.”

If you have any questions or concerns about how these insurance coverage changes could impact your organization or to receive assistance in reviewing and updating your organization’s policies, please contact Kennedy Sutherland.

Haley Metteauer
Previous

NCUA Releases Automated Cybersecurity Evaluation Toolbox
Next

NIST Releases Concept Paper Analyzing AI Risk Management Framework