On the up and up On the up and up On the up and up

The last two years have been some of the most disruptive most of us have ever seen. The global pandemic compelled us to move thousands of people to remote work, to implement new policies and business models, and to share in virtual social gatherings that in some cases have only added to our collective stress.

For some of us, though, this was only the bittermost half of it. Another pandemic affecting businesses of all kinds—a pandemic of cyber threats, ransomware in particular—has upended much of what little normalcy had remained. In the insurance sector, where we focus, cyber is now considered the most troubled class, reflecting the nature of cyber risk being one of the largest threats faced by businesses, as felt by directors and officers globally. To give you an idea: total net cyber liability claims incurred in Canada during the second half of 2021 totaled $106.26M, a loss ratio of 113 per cent, according to Canadian Underwriter.

This has driven premiums up: from what we've seen, companies are facing increases of as much as five times their previous year's premiums, and they are often the lucky ones. Many others are becoming uninsurable, or have to accept a reduced limit tower, new coverage restrictions such as coinsurance on ransomware losses, and the increased acceptance of risk previously transferred.

It's therefore perfectly reasonable to ask what's going on.

Undertow the line
The answer is pretty straightforward: the cyber insurance market has been dominated by a race to the bottom for years. New players with a focus on risk governance rather than technical security controls for its underwriting approach entered the market, driving premiums down and coverages up. It's also technically still a new market, one that was still developing its understanding of the field when the ransomware pandemic struck. What we're seeing now with premiums is a correction, one that needed to happen both to stabilize the market and to "future proof" it.

Which means that higher premiums are here to stay. In fact, rather than seeing this as an increase from past years, we should be seeing it as a fresh start. And that's because you can work to mitigate the largest increases and maintain your coverage, but this very much depends on how your business stands up to the new technical requirements insurers are demanding. These requirements include the following:

1. Centralized governance models, with uniform application of cyber security controls for all business units/dependents to be insured under the same policy.
2. Multi-Factor Authentication (MFA) for all remote access to the organization, including any vendors with privileged access for maintenance/services, etc.
3. Endpoint Detection & Response (EDR)/Endpoint Protection Platform (EPP) solutions installed on servers and endpoints with advanced anti-malware capabilities.
4. Advanced email filtering with sandbox/detonation and quarantine capabilities.
5. Robust patch and vulnerability management, including regular scanning and the tracking of vulnerabilities through to remediation.
6. Ransomware-proof backups, including daily offline copies with dedicated service accounts, unique passwords, and MFA to access.
7. Identity/Privileged Access Management (I/PAM) solutions.
8. System and organization controls (SOC) services: security information and event management (SIEM) with 24/7 monitoring.
9. Training/awareness with phishing programs.
10. Annual internal assessments to verify policy implementation and efficiency.
11. Network segmentation (Information Technology/Operational Technology (IT/OT), critical assets, demilitarized zones (DMZs) for customer/external facing assets, etc.)

Your broker will thank you for having the above in place; so, too, will your lead finance officer. It will enable you to tell a story to underwriters, one of defense in depth and readiness to detect and respond to the most severe potential losses from a cyber incident.

Readiness, squared
Underwriters are now using scanning tools to search for any major potential vulnerabilities exposed to the internet. Tools such as Bitsight run reports against current and prospective clients, with devastating weight in the judgment process. Should your business show too many critical items—an open remote desktop protocol (RDP) port, or an unpatched or legacy system speaking to the internet—you are likely to be declined. While regular scanning of your environment is of course a recommended best practice, be sure to do so before going to market and remediate any potential vulnerabilities. At a minimum, have a plan in place that you can show to underwriters.

So, what should you be looking out for at your next renewal or as you enter the market?

• Large premiums, with increases ranging from 50-200 per cent. Every case is different, so be prepared and start the process early.
• Reduced limits. Depending on industry and risk profiles, $10M can become $5M, and so on.
• Reductions in coverage:
  • Ransomware coinsurance, where you have to pay 50 per cent of any related losses.
  • Conditions precedent coverage, with exclusions in place for unpatched systems, or lack of MFA, or a loss of technical support.

Ultimately, there is no substitute for wise investment in your cyber security. You must have plans in place to implement controls to satisfy the technical requirements of the market. And don't be afraid to challenge your insurance broker on coverage and market conditions. Any sugar coating should be a red flag.

Full team ahead
All of this, however, must come with a disclaimer. The cyber insurance market, as we said, is still developing—as are the threats that drive market change. As new attacks are discovered, new requirements will be pushed onto insureds. We should welcome this as the insurance market does its part to improve the quality of cyber security across all industries, something only regulation was able to do before. Keeping on top of best practice standards and frameworks will always put you in the best position to stay ahead of the market—and of the threats.