The Sophos Report shows that while cyber insurance helps organizations recover from a ransomware attack, far too many small and medium-size business owners fail to purchase appropriate levels of coverage or, worse, fail to reduce their ransomware risk and exposure.
At the same time, Sophos found that 94% of organizations with cyber insurance said that “their experience of getting it has changed over the last 12 months, with higher demands for cybersecurity measures, more complex or expensive policies, and fewer organizations offering insurance protection.”
Fortunately, in addition to focusing on improving your clients’ cyber resilience, you, as a trusted advisor, are well-positioned to partner with insurers to help mitigate the risks posed by potential cyberattack. Why?
The frequency of ransomware and other cyberattacks create an increasingly dangerous cyber landscape for small and mid-size businesses. They desperately need cyber insurance, yet it is growing increasingly more difficult to secure. Insurers are reluctant to take on more cyber risk, while added coverage limitations and exclusions leave small and mid-size businesses exposed or paying significantly higher premiums.
The NAIC’s Report on the Cybersecurity Insurance Market states, “Changes regarding risk factors are occurring in the underwriting process. Underwriters are starting to use tools to evaluate prospective insureds’ computer networks to decide whether they will write the cyber business…premiums grew substantially in 2020 as cyberthreats, particularly those having to do with ransomware, continue to rise…While businesses are aware that cyber risk is a looming issue, it is not uncommon for policyholders to believe their current business insurance policy covers a cyber loss.”
Insurers are tightening the proverbial reins, asking more granular questions about a business’s cyber resilience, and diving deeply into small and mid-size businesses’ claims and loss history while simultaneously including capacities, exclusions, and segmented coverages - all at a higher premium. According to the NAIC, insurers are exiting accounts that do not have controls in place. They expect superior data on an applicant’s risk posture before binding and want you to detail your assessment of the business’s risk exposure and tolerance.
“Implementing carrier-required security controls is not only in the insurer’s best interest. It also benefits the policyholder. It can help soften premium increases, improve coverage, and can greatly reduce the odds of a successful attack. Anyone who has ever been involved in a cyber event will tell you it was a painful experience. The cost associated with such an attack can easily far surpass the cost to have implemented the preventative measures in the first place,” said Hank Stickley, senior vice president, and Cynthia Zimmerman, executive vice president, of Socius Insurance Services, www.sociusinsurance.com.
The cyber risk consultant…a critical role in the “when, not if world” of cybersecurity.