Cyber Liability Insurance is not the most exciting topic to talk about but with the increasing number of claims being filed, many business owners are seriously considering it. Cyber Liability Insurance is designed to help cover businesses in the event of a ransomware attack or other malicious attacks to your network and help off-set any money spent to handle the situation. Many insurance providers are changing their security standards to ensure the businesses they are cover are making a good effort to secure and control their network internally. According to our partners at TechRug, 60% of small businesses (defined as 25M in revenue or smaller) hit by a cyber-attack are out of business in 6 months. Although many people think they will never be a victim of malicious attackers, the truth is that mindset could be what forces your business to close its doors.
Why Are These Changes Coming About Now?
Many business owners who already have cyber liability policies may be wondering why insurance companies have significantly different requirements at renewal time compared to previous years. Although we may not know the exact the reason, we can make a best guess.
In the past two months, we’ve seen the Colonial Pipeline hack and the JBS meat hack and over the July 4th weeked the encryption of over 1000 businesses due the compromise of a software provider in the IT space? Those incidents raised large red flags across our industry and brought to insurers’ attention that many businesses whose networks and are vulnerable to attacks. In the Colonial Pipeline attack, millions of Americans were negatively impacted. They struggled to get gas, causing panic purchasing across the east coast. For JBS, the ransomware attack meant halting processing which in turn is expected to increase the cost of meat nationwide.
Cyber liability insurance is very similar to auto insurance. Both are designed to return the insured to where they were prior to the incident. As technology changes the requirements and pricing of a policy change. Automobile policies aren’t treated the same way if the occupants weren’t wearing seatbelts at the time of the crash. Driving a car without the latest safety features can be equally costly. The network security implementation failed to prevent the breaches above and allowed the attackers to access critical areas of the business. Needless to say, the security parameters were not as strong as they could have been. Now, insurance providers are asking their policy holders to answer new questionnaires that provide them better insights to the controls you have in place in the same vein as they would about your car or driving habits
What is Changing With The Policies?
As a managed service provider, we look-over and are responsible for many different organizations’ IT infrastructure. Part of this responsibility is to ensure our clients are compliant with their cyber liability policies, and this allows us to see what their insurance companies are asking on their new questionnaires. So, we thought we would share what changes to look out for:
Increased Network Security and Controls:
Many of the questionnaires we have seen recently are asking businesses much more in-depth questions. This includes information about where multi-factor authentication is required, what
firewalls are being used, what malware software is installed, and more. These questions are designed to make sure owners and IT departments are updating critical business technology and requiring controls over commonly breached areas of environments. Here are a few of the questions we have seen come through:
Indicate whether your business currently has the following in place:
-
-
-
- Up-to-date, active firewall technology: yes / no
- Up-to-date, active anti-virus software on all computers, networks, and mobile devices: yes / no
- Multi-factor authentication for remote access to the organization’s network and other systems and programs that contain private or sensitive data in bulk: yes/ no / NA
-
-
Expectations of Business Continuity and Disaster Recovery (BCDR)
BCDR is a common term in the MSP industry but is less known by the general public. BCDR includes all the processes you have in place to back-up your data, both in the cloud and in the office(s). The plan is comprised of tools and steps owners would take in case something was to happen to their network and the goal of this is plan is to ensure you don’t lose data or other important documents in the event of disaster. You can learn more about back-up continuity planning here.
The following are questions we have seen come up on questionnaires regarding this topic:
Indicate whether your business currently has the following in place:
-
-
-
- A disaster recovery plan, business continuity plan, or equivalent to respond to a computer system disruption: yes / no
- An incident response plan to respond to a network intrusion: yes / no
- Are all plans indicated above tested regularly with any critical deficiencies remediated? Yes / no / NA
-
-
What do these changes mean for your business?
So, what does this mean for your business. These changes should encourage businesses to re-evaluate their current policies for several reasons:
- One, you need to make sure you have the proper security controls in place in order to be compliant with the issuer’s standards.
- Two, you need to use their standards as guidance and be sure that you have an IT person or vendor that can managed firewall and other software updates, to ensure you are always compliant.
- Three, you need to be sure that the policy you hold is going to provide you the coverage you need. Not all policies are created equal and reading the fine print of your policy will give you the info you need to make the right decision.
If you do not already have a policy, then you should consider these changes as you go on the hunt for coverage. Cyber liability policies are not fun to talk about, but they are necessary for every business
because of the upward trend in cyber-attacks we have seen over the past five years. If you are interested in taking a cyber liability self-assessment to see if you have the current security standards in place, you can do so here. After the assessment, you will know where your business security measures are at in the eyes of many insurers. On top of that, we will provide you with some basic steps you can follow to strengthen any areas of your business that may be vulnerable.
