Forgiveness After an Attack
Cyber attacks have been soaring through the pandemic, cyber insurance rates are on the rise, and the underwriting process has gotten tougher.
The sharp increase in ransomware attacks and privacy regulatory actions are partly to blame, but fault also falls on the large number of companies that simply refuse to close the gaps and deficiencies in their cyber-security program, especially following an incident. Advisen recently warned buyers the cyber insurance market is “vibrant but stressed” and they can expect increases in rates and possibly changes in terms and conditions of coverage.
When a company has a cyber incident, it hires forensic investigators, notifies its insurance carriers, clears the problem out of the IT system, deals with the lawyers, regulators and other fallout, and files an insurance claim. Then, at policy renewal, the company is often hit with a sharp rate hike, which continues year after year.
Companies are typically ready to put an incident behind them, get operations back to normal, and move on. They already spent more money than they wanted and have little appetite for additional projects that were not in the budget. For example, few companies want to follow an incident with a comprehensive risk assessment to identify gaps and deficiencies in their security program and close the most critical ones. What they do not realize is that they are not saving money—they may actually end up spending more than the cost of the assessment and remediation in increased cyber insurance premiums. Plus, they continue to operate at a higher risk.
Agents and brokers have the opportunity to help their clients following an incident to evaluate their risk management profile and take appropriate proactive response measures to prevent a recurrence. These actions can then be used to help negotiate a steady premium or at least a much smaller increase than the client would have if no action had been taken.
If management takes a complete accounting of an incident, evaluates all sides of the issue, and identifies the areas within the security program and culture of the company that attributed to the incident, they can identify potential points of exposure and address them proactively. This may even involve changes to codes of conduct, the implementation of new institutional policies, and additions to the responsibilities of line management or board committees.
If they undertake the necessary remediation to policies and procedures, infrastructure and configuration, training, etc., they consequently have lowered their risk profile, have made the company stronger, are better able to deter or defend against future attacks, and may keep ongoing premiums much lower.
An agent or broker now has concrete actions to work with at renewal and can show carriers that the client assessed the incident, identified what measures would prevent a similar occurrence, and dedicated the resources to ensuring they were performed. There is no silver bullet with cyber security, but a demonstrated commitment to keeping the company from going down the same path in the future can be enough to hold off a premium hike that may go on for years. It also can buy a lot of goodwill from regulators, judges and consumers.
Michael Murdoch, senior vice president for Sterling Risk, has experience in guiding clients through remediation activities following a serious incident and has achieved good results. “In a recent case, the insurance carrier acknowledged the corrective steps the company took and did not penalize them to the extent expected. They got a bump, but they didn’t get a massive smack.”
As cyber underwriters scrutinize operations and ask probing questions, these kinds of remedial activities are even more likely to have return benefits. Following an incident, companies can expect underwriters to ask whether controls that are known to reduce or block the same attack are in place, particularly in light of the business interruption claims flowing from ransomware attacks. If remedial actions have not been taken, not only may the premium increase, the coverage also may be reduced.
Agents and brokers can help their clients avoid this pain by advising them to:
- Inventory applications and data and map cross-border data flows
- Develop a Table of Authorities of privacy and cyber-security compliance requirements
- Perform regular cyber risk assessments
- Develop prioritized remediation plans and address critical and high risks first
- Develop incident response plans in alignment with best practices and standards
- Invest in cyber-security training for IT and security personnel
- Require annual security awareness training and regular alerts
- Ensure backup and recovery plans are developed and tested.
These core actions will serve clients well at application and renewal time and will demonstrate good practices to consumers, regulators, attorneys general, and courts if a serious incident occurs. No one expects perfect cyber security, but there will be little forgiveness after an attack if these basic foundations of a cyber-security program were not performed. “As markets harden in the face of disruptive cyber attacks, a proactive response beyond basic remediation will be required,” predicts Murdoch.