Posted In: Cybersecurity & Data Privacy, Insurance Recovery & Cybersecurity & Data Privacy
Corporate TIPS & Coverage Counselor: Recent Cyberattacks Complicate Cyber Insurance Industry and Coverage
By Jarman J. Smith on September 2, 2021
The cyber insurance industry is drastically evolving amid a recent wave of cyberattacks against businesses, organizations and agencies throughout the world. Although the increase in frequency and negative impact of cyberattacks has inflated the demand for cyber insurance policies, several factors may make it more difficult for parties to obtain and maintain such coverage. Thus, businesses should act quickly to either obtain or renew their cyber risk insurance policies and ensure that such policies adequately protect their interests in the event of a cyber incident.
Increased Premiums and Lower Policy Limits
Obtaining adequate cyber insurance coverage is becoming more challenging for businesses because cyber insurance policies are becoming more expensive while offering less coverage. For instance, as concerns grow over ransomware payments for cyberattacks, many cyber insurers have adopted new limits on cyber extortion and ransomware coverage for certain insureds. Cyber insurers have also implemented additional underwriting at both the initial policy procurement and renewal stages for their cyber insurance policies. Moreover, insurance premiums have increased because of the volume of cyber claims being paid by carriers. In the past year, cyber insurance costs have increased by a third.1 These increases have been seen across the globe, but there has been a more decisive spike in the United States, where cyber insurance prices rose 35%.2 This increase is the highest annual increase for cyber insurance coverage since 2015.3 However, despite the reconsideration of policy limits and businesses having to bear the burden of higher deductibles, insurance companies have largely paid claims and worked with their policyholders who have fallen victim to cybercriminals.
Changes to the Cyber Coverage Industry
To continue collecting on premiums under this coverage line, the cyber insurance industry is adapting to the evolving cyber risks to businesses. For instance, several technology companies joined an incubator project backed by Lloyd’s of London as part of the specialist insurance market’s efforts to develop insurance products concerning cryptocurrency, cyberattacks and claims modeling.4 Furthermore, commercial insurer, Corvus, recently acquired Wingman Insurance to gain access to Wingman’s cybersecurity platform and technology errors and omissions coverage.5
Some speculate that cyber insurance may disappear if cyberattacks continue to escalate to uncoverable amounts.6 However, the demand for coverage continues to grow and cyber insurance policies are not going away anytime soon. In fact, underwriters are becoming more sophisticated in assessing risks to help the cyber insurance market remain sustainable. Underwriters are now requiring more detailed submissions and incorporating vulnerability scans into their underwriting processes. Moreover, businesses can expect that insurers will continue to restrict terms and use sublimits to refine the scope of coverage.
Cybersecurity Best Practices Needed to Secure Good Coverage
While the cyber insurance industry is working overtime to pay off losses from cyberattacks, the primary ongoing reaction of insurers is focused around improving their clients’ cybersecurity practices. There are now higher expectations for parties seeking cyber insurance coverage to have better controls in place to defend against and respond to cyberattacks. A few cybersecurity practices that may ease the process of securing and/or renewing adequate cyber insurance coverage are outlined below:
- Adopt an incident response plan and internal data security policy.
- Every organization needs an incident response plan in place to prepare for and effectively respond to cyberattacks. Your organization should also develop an internal data security policy that works in conjunction with the incident response plan to educate your employees on proper data handling procedures and to communicate your organization’s cybersecurity policies and practices.
- Have appropriate data processing agreements in place with your third-party vendors, partners and clients.
- A data processing agreement (or “DPA”) is a binding agreement between your organization as a data controller and third-party organizations that may process your data on your behalf. These agreements will help your organization tie up any loose ends concerning your data privacy compliance efforts, and indemnification obligations among the parties.
- Develop a remote work policy and use telecommuting agreements for remote employees.
- Employees are often targeted by cybercriminals, and networks with remote work capabilities have increased exposure to cyberattacks. Adopting a remote work policy and using well-written telecommuting agreements with your employees will protect against these risks and provide for proper cybersecurity safeguards.
- Consult with experienced professionals.
- Obtaining adequate advice from a trusted source is essential when creating and enforcing cybersecurity policies and procedures. Professionals with knowledge of privacy regulations and cyber insurance policies can provide the guidance your organization needs to establish proper cybersecurity practices and to obtain appropriate cyber insurance coverage.
How Brouse Can Help
Obtaining the appropriate level of cyber insurance coverage is becoming increasingly more difficult as ransomware continues to disrupt the cyber insurance industry. Brouse McDowell’s Cybersecurity and Data Privacy and Insurance Recovery teams can provide the guidance and tools you need to secure adequate cyber insurance coverage or to review your existing insurance policies to identify any potential uninsured risks. Along with providing general guidance through the complexities of cyber insurance coverage, we also provide proactive solutions for companies to defend against cyber-attacks. Our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2023 Brouse McDowell. All rights reserved.