Many organizations rely on cybersecurity insurance to help them recover from ransomware and other cybersecurity incidents.
Unfortunately, because of the drastic rise in attacks, insurance companies have suffered major losses. As a result, they’ve been forced to increase their premiums and require improved security from their customers.
In many cases, insurers are strictly enforcing denial-of-coverage clauses, depending on what security measures (or lack thereof) led to the attack. This adds stress to an already anxious situation.
To manage increasing risks and keep your business safe, your security teams need to work carefully with legal counsel and financial managers.
Only by clearly assessing your expectations and responsibilities can you understand your risks and how to cover them.
Rising Costs of Cybersecurity Insurance
In June, it was noted that cybersecurity insurance rates had already risen by 10-30%.
Additionally, insurers were placing stricter security requirements on businesses.
Unfortunately, the current reality is much worse. In fact, some healthcare providers report potential 400-600% increases in insurance premiums.
While not all industries face such a drastic rise, expect cybersecurity insurance prices to continue trending upward.
In recent years, cybersecurity insurance providers were hit hard by ransomware and other attacks.
As a result, they’re aggressively pricing their policies, as expectations of more frequent, costly breaches become apparent.
Challenges of Increased Requirements
Insurers often provide reductions in your cybersecurity insurance premiums if your organization improves its IT security.
However, sometimes the improvements are costly and tough to implement.
For example, some healthcare providers cite requirements to implement multifactor authentication (MFA) for internal network access, along with privileged access management.
For doctors that already balk at having to type in robust passwords, increasing the requirements can lead to strong backlash.
To avoid unpleasant surprises, you’ll need to examine the requirements of potential cybersecurity insurance policies. You’ll want to be aware of any impracticable or unaffordable changes that need made.
Although some requests might be negotiable, you’ll need to balance the requirements of the insurance company against the reluctance of your stakeholders, your budgets, and your capabilities.
Denied Coverage
Just because you have a policy doesn’t automatically mean you’ll be covered.
Insurance companies protect themselves by limiting coverage or denying claims outright – especially for negligence.
For example, if a law firm maintains an on-premises Microsoft Exchange Server, but didn’t bother to update and apply necessary patches, it may remain vulnerable to the ProxyShell attack.
Since patches have been available for several months, the insurance company could rightfully claim that the attack was the result of negligence.
Similarly, if your business falls prey to ransomware, you’ll be required to take security steps to prevent future attacks.
If you fell victim again and never completed the steps, your insurance company could deny coverage for the second attack, citing negligence.
Cover Your Assets
When dealing with new requirements or a rapid remediation, your IT team needs to prioritize vulnerabilities.
They’ll need to identify options that best suit your business’s needs, while still keeping up with everyday responsibilities. For an overloaded IT team, this can feel overwhelming – but it doesn’t have to be.
IT teams can bring in outside experts to identify options, work on short term projects, or take over requirements that don’t add value to the organization. For example:
- Emergency room staff dealing with a bleeding patient can’t easily use cellphone MFA to access the internal network.
However, there are other options that may be even more convenient than a password.
For example, using the hospital access badges to provide one factor of authentication, and then using voice recognition to provide a second factor.
- If your organization was recently hit by an attack, hire an outside provider to help speed up the remediation process, block other attacks, and verify security with penetration tests.
- If the process of patching the Microsoft exchange server doesn’t provide critical value to the law firm, then patching can be outsourced to an IT-managed service provider. This would allow the firm’s IT team can focus on the needs of the attorneys instead.
The Takeaways
As long as data breaches, ransomware, and other incidents continue to stay on the rise, cybersecurity insurance has no choice but to increase as well.
You’ll need to review your policies thoroughly in order to stay compliant and reduce chances of claim denial.
If necessary, never hesitate to reach out to others for help in understanding and complying with your coverages. Whether it’s a lawyer or an outsourced IT team, you’ll want to make sure you’re covered when you need it most.
Ideal Integrations and Blue Bastion can provide the expertise to analyze technical clauses in an insurance policy, suggest appropriate options, and provide short and long-term assistance.
For a free consultation, call 412-349-6680 or fill out the form below and let us know where we can provide value to your organization.