Originally published New Hampshire Bar News.
Ten years ago, most companies did not know that cyber insurance
existed. Five years ago, many still did not purchase it. Currently,
every business knows or should know that it needs cybernetic resources.
insurance. Risk aware people will never leave their
driveways without auto insurance or drive by a professional
services firm without malpractice coverage. So is the risk
conscious businesses cannot operate in the digital world without good
Similarly, five years ago, cyber insurance was cheap and easy.
acquire. Carriers asked few questions and insurance premiums were low.
and largely depends only on the size and industry
business. Two years ago, businesses could still easily update their
existing cyber insurance policies with their existing carriers,
without huge effort or premium increase. But then, Texas
froze, California burned, cyberattacks exploded, and
The world has plunged into a global health pandemic. Insurance
In 2020, underwriting has been turned on its head.
Carriers were desperate to reduce risk and increase insurance premiums.
all coverages, especially cyber, to make up for losses and
restore profit. As a result, the premium increases from 50% to 200%.
become commonplace for cyber updates, even for those who care about security
enterprises that have never experienced violations. For companies
affected by the violation, the premium increase to 400% is not
it is rare if these businesses can provide coverage at all. Right,
carriers simply refuse to renew coverage for hack victims,
as well as small businesses with low premiums, leaving them without
cyber insurance in general. In addition, the policy
offered often cut back on coverage, for example, significantly
increase in franchises, a significant reduction in sublimits and
completely excluding the coverage of certain losses.
As if all this wasn’t enough, businesses facing
the cyber insurance update should now remove another major hurdle in
detailed application form. While carriers
previously asked a few questions, if any, about the business
security preparedness before issuing cyber insurance (admittedly
poor risk management), carriers have now reversed course. These
The questionnaires include specific questions to assess whether a business is
implemented very specific cybersecurity security measures such as
multi-factor authentication, device and data encryption, virtual
private networks, advanced threat detection and prevention
applications, elevated privilege management, duplication and
encrypted backups and so on and so forth.
Even companies that previously dealt with cybersecurity
may find it difficult to answer all these questions in a way that
carriers want. And failure to comply with this requirement often leads to large
premium increase or fixed non-renewal. So the consequences
this process can be difficult. Two steps are critical to getting the right
prepare to secure or renew cyber insurance.
First, businesses need to start working with their insurance
cybersecurity agent and attorney at least six months before
estimated date of submission of applications for cyber
insurance or renewal. Agent and lawyer should consider
questionnaires-applications from carriers that business
plans to apply to determine specific guarantees
these carriers require. Such advance planning is necessary
because businesses often take months to implement
measures that may not be enough. In addition, working with
a cybersecurity lawyer will help make sure the application
completed properly and that the process is protected
Secondly, if the business is faced with a violation or even just
less security incident in the last few years, it
you need to work with your insurance agent and cyber security lawyer
a few months before the application, in order to develop
a strategy to address the violation or incident during this process.
Such a strategy is likely to include determining which carriers can
be prepared to consider providing coverage despite a breach or
incident, and the likely increase in premium for such insurance. Such
strategy also requires ensuring that all actual and potential
vulnerabilities that caused or could cause a breach or
the incident has been completely resolved and that the business can
demonstrate that he has significantly improved his
cyber security assurances, usually after a breach or incident
and that it complies with industry-accepted cybersecurity
Renewing cyber insurance is anything but a chore. Enterprises
who can’t prepare – starting a few months before
process – most likely to be unpleasantly surprised
a staggering premium increase or a complete non-renewal.
Cameron Schilling is a shareholder of McLane Middleton, where he
is the director of the judicial department and chairman
Cyber Security and Privacy Group
The content of this article is intended to provide a general
topic guide. You should seek the advice of a specialist
about your specific circumstances.