What To Do About the Cyber Breach Insurance Crisis

The earliest days of cyber breach insurance covering unauthorized network access, data loss, and malware-related claims began in earnest in the early 2000s – especially following the 2003 California Security Breach and Information Act, which mandated notification to any resident whose unencrypted personal information had been accessed or acquired by an unauthorized person.

After California, many other states followed suit, causing a domino effect for cyber breach insurance companies. It soon became standard for insurers to offer coverage for Digital Forensics and Incident Response (DFIR), public relations, credit monitoring, customer notification – and even legal fees, fines, and penalties stemming from cyber-attacks.

Fast forward nearly 20 years, and those naïve underwriters of the early 2000s could not possibly have envisioned the horrors (e.g., botnets, ransomware) and billions of dollars paid out in claims. In many cases, cyber breach insurance was driving bad behavior – i.e., “I have this policy; so, I don’t really need to pay for any other security controls.”

However, just as happened with homeowners coverage in Florida after Hurricane Andrew – The “perfect storm” has now arrived and businesses have suddenly found themselves in one of the following situations:

• Seeing their premiums increase up to ten-fold.
• Seeing policy deductibles of $1 million or more.
• Being dropped and/or not being able to be underwritten for a policy at all.

Just how bad is it? Well, the imbalance of supply and demand in the cyber insurance market combined with the direct loss ratio (i.e., insurance company payouts on claims) increasing from 47 cents for every dollar in earned premiums in 2019 to 73 cents in 2020, and further exacerbated by high-profile breaches such as Colonial Pipeline and Kaseya attacks in the summer of 2021, have resulted in 100-300% increase in premiums.

High risk companies are also experiencing either involuntary or voluntary reduction of coverage limits, and some insurance companies are no longer agreeing to include ransomware payments in coverage. In other words, prevention of attacks must be the focus of an organization, as they can no longer rely on cyber risk insurance to cover the full, or even partial costs of an attack.

I have been getting roughly a call per week about these issues now, with people asking how we can help out. Well, there are a couple of options here:

• We really do recommend having a cyber breach insurance as a best practice; but you need to be able to get that policy first, and it needs to be financially reasonable to obtain.
• Many have opted to self-insure now. This opens a whole new level of trust required in your IT security team to confirm that you’re doing the right things to lower risk.

Let’s take a deeper look at these two options…

For the first, insurance carriers are asking you to provide cyber due diligence. Just filling out the insurance application, and then stretching the truth a little bit about the state of your data protection, multifactor authentication, continuous monitoring with a Security Information and Event Management (SIEM) and a Security Operations Center (SOC), employee awareness training, formal program of vulnerability management, and annual network penetration testing – well, just your word is not going to cut it anymore. They want proof. And to have proof, you really need these security controls and processes in place.

Abacode can put all of this in place for you through our Managed Cybersecurity and Compliance Provider (MCCP) Core program. We also manage everything through a compliance portal, which not only tracks your progress versus a cybersecurity best practices standard; it also serves as a central repository for evidence and artifacts supporting your claims. So, when the underwriter wants to see proof you’re doing what you say you’re doing, you can now provide it in short order.

The MCCP Core program is equally effective for the self-insured. What we have done is look at all of the elements of a successful cybersecurity program aligned with best practices – say, the Center for Internet Security (CIS) ver. 8 Top 18 controls or the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) for Critical Infrastructure Protection – and help organizations assess, map, and implement these elements. Then, once compliance is achieved, we help you stay there indefinitely. Combine MCCP Core with a few other controls, such as having legal counsel, DFIR team, and PR crisis team on retainer, and now you have the equivalent of a fully covered cyber program.

In either case, insured or uninsured, Abacode’s goals are always as follows:

• To understand your business mission and help you achieve it,
• To lower cyber risk to an acceptable level, and
• To help maintain a state of compliance with cyber best practices forever, incrementally improving your posture at all times.

Observed in this light, cyber breach insurance doesn’t have to be a crisis situation for companies anymore. Please contact us at cyberconnect@abacode.com if you want to learn more about MCCP Core.