An increasing number of cyber claims – and ever-rising costs – have led insurers to protect themselves. Learn four ways to reduce your cyber exposure and become a better risk for underwriters.
The cyber insurance market has never been tighter. Statistics Canada data demonstrates that cybercrimes nearly doubled between 2018 and 2020. In response to an increasing number of cyber claims – not to mention ever-increasing costs – insurers are reconsidering their underwriting approach. And in the competition for coverage, small businesses may lose out.
Cyber Insurance Outlook
With the average data breach cost approaching $7 million in Canada, insurers can’t afford to keep paying out. Instead, they are utilizing all the tools they have at their disposal to protect themselves. This means making use of a variety of strategies, including:
1. Statistics Canada, “Police-reported cybercrime, number of incidents and rate per 100,000 population, Canada, provinces, territories and Census Metropolitan Areas,” accessed April 2022.
Premium and deductible increases:
One way to manage the cost is by putting more of the responsibility on the insured. In the last year, premium rates have increased by over 300% in some cases, and deductibles are typically at least double of what they were from expiring.
Reducing capacity:
Another method is to reduce coverage limits or capacity to minimize the risk they take. For some, $2 million is the maximum coverage cyber insurers are prepared to offer on a primary basis, compared to $10 million or more. Building towers of insurance has therefore become increasingly difficult and time consuming.
Increasing scrutiny:
Many insurers are declining to take on organizations that aren’t doing their due diligence to protect against cybercrime. They are withdrawing or declining coverage for those organizations that aren’t meeting certain standards to prioritize their risk.
Become a Better Risk
When it comes to costs, there is little a small business can do. But it can take steps to make itself more attractive to the insurers by implementing a breach plan and reducing cyber exposure. Consider these four steps to reduce your cyber exposure:
1. Review network security and privacy policies.
Even before an insurer will offer you a quote, they want to see you’ve done your due diligence. They are looking for security controls, including:
- Multifactor authentication (MFA) for remote network access, email systems and privileged accounts
- Remote desktop protocol (RDP) ports to be closed or placed behind a virtual private network protected by MFA
- Privileged account access is limited to those who need access
- At least one email filtration solution, such as a Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), or Domain-based Message Authentication, Reporting & Conformance (DMARC)
- A next-gen antivirus solution
- Endpoint detection and response (EDR) solution
- At least one copy of backups should be stored off-site or in the cloud
2. CTV News, “Cost of data breaches in Canada hit new record in 2021: IBM,” July 28, 2021.
2. Train all stakeholders.
Cybercriminals work hard at their trade, but you must be ahead of the game. Create a culture of security in your organization. Offer regular training to teach employees, vendors and all key constituents to recognize and delete suspicious emails without opening them. This important step cannot be the sole responsibility of the IT department.
3. Prepare an incident response plan.
An incident response plan (IRP) is a comprehensive plan for addressing network security and/or privacy liability threats and attacks. The plan provides a kind of roadmap or “playbook” with guidance and steps to be taken such as who to call, what to do, when to do it, etc. An IRP helps organizations to best document all the critical steps it needs to take from the time of the suspected breach to post-incident response and closure. Once considered a “bonus” for organizations going above and beyond, an IRP is now an expectation.
4. Rehearse with a tabletop exercise.
The IRP isn’t enough on its own; a dress rehearsal makes the plan real. A cyber tabletop exercise (TTX) is a simulated cybersecurity scenario exercise where participants (ideally members of senior management) must act, think and make decisions as if the cyber incident were real. The exercise exposes weak links in a safe environment. At the same time, those with decision-making authority are forced to make choices in a worst-case scenario.
About the author:
Patrick is the National Cyber Practice Leader at HUB International in Canada. As an insurance expert, he provides technical expertise in the analysis, placement and negotiation of management risk insurance coverages, including professional liability, crime and directors’ & officers’ liability insurance but with an emphasis on cyber liability insurance. In addition to negotiating terms and placing coverage, Patrick advises clients on how best to align breach response planning with insurance and risk mitigation solutions and provides claims expertise.
