Cybersecurity Controls are Driving Insurance Renewal Terms and Pricing

Cyber insurance pricing has increased significantly in the last several years. Loss frequency and severity is driving the pricing increases with ransomware as the loss leader. Underwriters are scrutinizing internal controls, and are either providing very low limits ($100K to $250K), or are no longer willing to write ransomware without multi-factor authentication (MFA). MFA is a security setting that requires users to provide more than one method of verification to gain access to websites or applications. It is also referred to as two-factor authentication.

MFA is the top requirement, but underwriters will also inquire about the following:

Sender Policy Framework (SPF) – An email authentication technique used to prevent spammers from sending messages on behalf of your domain.

DomainKeys Identified Mail (DKIM) – An email authentication method that allows senders to associate a domain name with an email message, thereby proving its authenticity.  A sender creates the DKIM by “signing” the email with a digital signature.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) – An email authentication protocol that uses SPF and DKIM to determine the authenticity of an email.

Next Generation Anti-Virus (NGAV) – A software that uses predictive analytics driven by machine learning and AI, and combined with threat intelligence to detect and prevent malware, identify malicious behavior, and respond to emerging threats. NGAV works in hand with Endpoint Detection and Response (EDR). EDR centrally collects and analyzes endpoint data across the entire company to examine potential threats. NGAV should be rolled out throughout the company and be centrally monitoring and analyzing all endpoint activity.

Companies with an upcoming policy renewal without the security measures are binding unfavorable coverage with higher pricing and lower limits than implementing the fixes with the intent to go back to market to improve its offering after the “fixes” are implemented. Unfortunately, underwriters are not open to marketing midterm. Carriers are not discounting pricing if new controls are implemented “today”. While it is absolutely a better risk, threat actors could already be in a system. Most hackers hang out in the target’s system for a few weeks/months before they perform a ransom demand or exfiltrate data. So, even if MFA/EDR was implemented “today”, carriers will not adjust coverage or apply a credit to pricing until at least 90 days have passed since new controls are in place, as that gives some wiggle room to make sure a hack has not already occurred. Studies reveal it takes about 220 days to figure out hackers are inside a system. If new controls are implemented today, it does not mean the hackers are not inside the system already.

Insurers are increasingly tightening underwriting requirements and stipulating that organizations adopt security controls that can make a measurable and positive impact on a company’s exposure to cyber risk. The time to act is now. Implementing security measures should start as soon as possible. Don’t wait until renewal to find out your company falls short. Contact your AssuredPartners Real Estate Specialist for a comprehensive cyber security scorecard and average cost of a data breach for your company.