Securing cyber insurance coverage is becoming more challenging

When vulnerable business owners are faced with the very real threat of falling victim to a cyberattack, cyber insurance is often a final fail-safe that they look to, so that they can seek some form of protection from the consequences of dangerous cybersecurity threats.

Cybersecurity insurance is designed to protect a business from the potentially dire implications of an attack on their IT systems and infrastructure. These could range from significant financial losses to long-term reputational damage.

The coverage offered by insurance providers has gained attention over the last two years. As many as 77% of employed residents in the information and communications industry worked remotely in 2020, according to a report by the Ministry of Manpower. With many of their staff working from home, businesses have come to realise that their pre-pandemic security measures are no longer providing the level of protection they require.

A reliance on firewalls and other on-premises measures are simply insufficient. Home-based workers — thanks to unsecured Wi-Fi, unpatched personal devices, and generally poor cyber hygiene — are more susceptible to everything from phishing campaigns to ransomware attacks and more.

These concerns come at a time when the number of cyberattacks is on the rise. High-profile breaches — such as the ones on Colonial Pipeline, JBS Meats, and Kaseya, as well as local attacks on Singapore-based Eye & Retina Surgeons — have captured headlines and caused massive disruption for the victims.

Meanwhile, the ransomware scourge continues to grow. Cyber Security Agency of Singapore’s (CSA) 2020 Singapore Cyber Landscape report found an increase in cyberthreats such as ransomware and online scams. There were 89 ransomware cases reported to CSA in 2020, a sharp rise of 154% from the 35 cases reported in 2019. The significant increase in local ransomware cases was likely influenced by the global ransomware outbreak, where three distinct characteristics were observed as ransomware operators deployed increasingly sophisticated tactics.

Underwriting requirements tightening

This increase in cyberattack numbers and payouts is having a direct impact on the cyber insurance market. To stay solvent and viable, many insurers are significantly increasing premiums, dropping coverage, or exiting the cyber insurance market altogether.

Based on insurance advisor firm WTW’s cyber portfolio in Asia, cyber insurance rates have seen an increase ranging from 50% to 200%. Insurers are also tightening underwriting guidelines and mandating that their customers have certain security controls in place, such as privileged access management (PAM). The result is that an organisation seeking an alternative cyber insurance quotation is subjected to new rounds of scrutiny and auditing from a fresh set of eyes – adding to the fatigue already faced by IT teams.

Insurers are also becoming more selective about who they are willing to cover. Just as a driver who is involved in multiple accidents may be dropped by their insurer, the cyber insurance market is no different. From an insurer’s standpoint, not every applicant is a good candidate.

Qualification for cyberattack coverage is being carefully assessed and potentially denied based on the answers of prospective and current customers to comprehensive security questionnaires. Insurance companies are also increasingly hiring security professionals to help them navigate the path to insuring qualified customers and denying those who don’t qualify, or otherwise pose too big a risk.

Another development in the market is the focusing of insurance policies on particular cyber risks. An insurer may offer a client coverage for malware and spyware but refuse to cover events when ransomware is involved. In fact, there is an argument to be made that ransomware attackers will retarget businesses who have paid previously thanks to cyber insurance.

Boosting your cyber insurability

Organisations need to consider that if they are not taking robust precautions to protect against cyberthreats, they cannot assume that cyber insurance will bail them out after an attack.

Insurers will increasingly hold firms accountable for their cybersecurity programs and levels of protection. They expect their customers to adequately uphold their end of the bargain with regard to mitigating risk, reducing attack surfaces, and having mature IT security strategies.

Also, if a business does fall victim to an attack, their insurance company may require proof that they had the agreed upon security measures in place. Absence of control, even on a single endpoint or application, may give the insurer the leeway it needs to deny a claim in the court of law.

Implementing and managing PAM security controls ranks as one of the best ways a business can proactively reduce its cyber risk and improve its ability to obtain cyber insurance coverage at the best possible rates.

Indeed, multiple security controls are now commonly required by cyber insurers. These controls include enforcing least privilege (including removing admin rights) across both human and machine accounts.

Some insurers also require businesses to apply multi-factor authentication for remote access to their core network by employees and third parties. They may also demand the business has the ability to identify and remediate indicators of compromise.

It’s clear that the cyber insurance market is changing rapidly. Businesses may find it increasingly difficult to secure coverage and, if they do, it may not be as comprehensive as it had been in the past.

Indeed, company decision makers need to consider long-term strategies to meet the specific compliance requirements of their own industry, as well as the necessities of the ever-evolving threat landscape and insurance environment.