Cyber liability insurance is not the most exciting topic to talk about but with the increasing number of claims being filed, many business owners are seriously considering it. Cyber liability insurance is designed to help cover businesses in the event of a ransomware attack or other malicious attacks to your network and help off-set any money spent to handle the situation. Many insurance providers are changing their security standards to ensure the businesses they are cover are making a good effort to secure and control their network internally.

According to our partners at TechRug, 60% of small businesses (defined as 25 million in revenue or smaller) hit by a cyberattack are out of business in six months. Although many people think they will never be a victim of malicious attackers, the truth is that mindset could be what forces your business to close its doors.

Why are these changes coming about now?

Many business owners who already have cyber liability policies may be wondering why insurance companies have significantly different requirements at renewal time compared to previous years. Although we may not know the exact the reason, we can make a best guess.

In the past two months, we’ve seen the Colonial Pipeline hack and the JBS meat hack and over the July 4th weekend, the encryption of over 1,000 businesses due the compromise of a software provider in the IT space. Those incidents raised large red flags across our industry and brought to insurers’ attention that many businesses are failing to properly secure their networks and are vulnerable to attacks.

In the Colonial Pipeline attack, millions of Americans were negatively impacted. They struggled to get gas, causing panic purchasing across the East Coast. For JBS, the ransomware attack meant halting processing, which in turn is expected to increase the cost of meat nationwide.

Cyber liability insurance is very similar to auto insurance. Both are designed to return the insured to where they were prior to the incident. As technology changes, the requirements and pricing of a policy change. Automobile policies aren’t treated the same way if the occupants weren’t wearing seatbelts at the time of the crash. Driving a car without the latest safety features can be equally costly.

Network security implementation failed to prevent the breaches above and allowed the attackers to access critical areas of the business. Needless to say, the security parameters were not as strong as they could have been. Now, insurance providers are asking their policyholders to answer new questionnaires to provide them better insights to the controls you have in place, in the same vein as they would about your car or driving habits.

What is changing with the policies?

As a managed service provider, we look over and are responsible for many different organizations’ IT infrastructure. Part of this responsibility is to ensure our clients are compliant with their cyber liability policies, and this allows us to see what their insurance companies are asking on their new questionnaires. Here are some changes to look for.

1. Increased network security and controls

Many of the questionnaires we have seen recently are asking businesses much more in-depth questions. This includes information about where multi-factor authentication is required, what firewalls are being used, what malware software is installed, and more.

These questions are designed to make sure owners and IT departments are updating critical business technology and requiring controls over commonly breached areas of environments. Here are a few of the questions we have seen come through:

Indicate whether your business currently has the following in place:

  • Up-to-date, active firewall technology: yes / no
  • Up-to-date, active anti-virus software on all computers, networks, and mobile devices: yes / no
  • Multi-factor authentication for remote access to the organization’s network and other systems and programs that contain private or sensitive data in bulk: yes/ no / NA

2. Expectations of business continuity and disaster recovery (BCDR)

BCDR is a common term in the MSP industry but is less known by the general public. BCDR includes all the processes you have in place to back up your data, both in the cloud and in the office(s). The plan is comprised of tools and steps owners would take in case something was to happen to their network. The goal of this is plan is to ensure you don’t lose data or other important documents in the event of disaster. You can learn more about back-up continuity planning here.

The following are questions we have seen come up on questionnaires regarding this topic:

Indicate whether your business currently has the following in place:

  • A disaster recovery plan, business continuity plan, or equivalent to respond to a computer system disruption: yes / no
  • An incident response plan to respond to a network intrusion: yes / no
  • Are all plans indicated above tested regularly with any critical deficiencies remediated? Yes / no / NA

What do these changes mean for your business?

These changes should encourage businesses to reevaluate their current policies for several reasons.

  1. Make sure you have the proper security controls in place in order to be compliant with the issuer’s standards.
  2. Use their standards as guidance and be sure that you have an IT person or vendor who can managed firewall and other software updates, to ensure you are always compliant.
  3. Be sure that the policy you hold is going to provide you the coverage you need. Not all policies are created equal and reading the fine print of your policy will give you the info you need to make the right decision.

If you do not already have a policy, then you should consider these changes as you go on the hunt for coverage. Cyber liability policies are not fun to talk about, but they are necessary for every business because of the upward trend in cyberattacks we have seen over the past five years.

Click here to take cyber liability self-assessment to ensure you have the current security standards in place. FusionTek can help strengthen areas of your business that may be vulnerable.

Founded in 2007, FusionTek began with a mission to help small and medium-sized businesses get a real return on their technology investments. Since then, we have remained dedicated to providing state-of-the-art IT support, service and products that allow our clients to get ahead of the competition and achieve success.