The recent spike in cybersecurity incidents, many of which are ransomware, have made an already hardening market, historically hard. Insurance rates continue to rise amid changes in the economy. Cyber Insurance policies are seeing increases of 25-50%, even if there has never been a claim!
In addition to rate increases, insurance carriers are restricting “capacity” which represents how much limit they are willing to issue on a given risk. This is driven by a carrier’s ability to obtain reinsurance, and the rising costs of the premium they are paying to obtain it. Insurance carriers that were once willing to offer $5 million to $10 million in limits, may now only offer $2 million to $5 million.
This all adds up to businesses facing an insurance market with conflicting pressures. First, they have to accept that a cyber claim today costs significantly more than just two years ago due to the increased ransom demands and business interruption implications. Second, insurance carriers are charging more for less coverage.
When your next Cyber Insurance renewal rolls around, be sure to ask these key questions to best minimize the challenged insurance market’s impact on your business.
How much limit is the right amount for my business?
It isn’t a perfect science, but brokers and businesses have tools at their disposal to project and anticipate the potential costs of a cyber incident. Gone are the days when entities with a high volume of private information, like healthcare organizations, are adequately covered with only $1 million in Cyber Insurance limits. The larger the organization, or the more reliant it is on data, the more likely a hacker is to demand a ransom that will erode the limits purchased.
Do I need to worry about ransomware coverage restrictions?
Insurance carriers are becoming increasingly restrictive when offering Ransomware/Extortion coverage. Some carriers sublimit it to a smaller amount, like $500,000, while others add larger deductibles or coinsurance. For example, a 50% coinsurance penalty means that your business pays 50% of the ransom demand and the insurer pays the other 50%. And the ransom could be anything! This makes it almost impossible to predict your out-of-pocket costs in this scenario.
Full limits of coverage for ransomware claims is available in the insurance market (at least for now). Therefore, you should not settle on an insurance policy that doesn’t offer full and comprehensive coverage for a cybersecurity incident. And be sure to keep your eye out for state and federal legislation as some authorities have discussed banning ransomware payments all together, which would eliminate this coverage outright.
Are there social engineering coverage restrictions that could impact my business?
Much like ransomware, social engineering claims occur quite frequently for businesses. And also like ransomware, they can result in thousands to millions lost. Insurance markets rarely offer higher limits for this coverage with a sublimit set around hundreds of thousands of dollars. Businesses should seek the highest limits available by their carrier and implement strong internal processes to mitigate the likelihood of falling victim to a social engineering attack.
What happens if my business has downtime due to an attack on a partner or service provider?
Some insurance carriers make coverage decisions that distinguish between your on-premise IT systems and cloud-based IT systems, which are managed by a partner or service provider. They do this by drawing a line separating Business Interruption coverage and Dependent or Contingent Business Interruption coverage.
Business Interruption coverage protects revenue lost during a cyber incident that resulted in downtime to the ITsystems you control whereas- Dependent or Contingent Business Interruption coverage protects against revenue lost when you suffer downtime due to a cyber incident targeting your partner or service provider. Some carriers even broaden this coverage to include non-IT providers or vendors. For example, if a critical supplier is the victim of a ransomware attack which then impacts its ability to deliver supplies,in turn impeding your operations and revenue, the coverage will respond.
It is important to note that supply chain risk has continued to be a point of concern, (for example – the Solarwinds Orion attack which compromised 18,000 businesses by attacking just one), insurance carriers have reduced their willingness to cover Dependent Business Interruption. If your business is heavily dependent upon cloud or other outsourced service providers, keeping full policy limits on this coverage is very important.
Can insurance protect against reputational harm that my business may incur?
Some cyber incidents are so significant that they can result in negative media coverage, which can in turn result in the loss of current and/or future customers. Reputational Harm protection helps organizations that are victims of a cyber attack by compensating for revenue impact AFTER an event has been resolved..
Insurance carriers have begun to restrict their willingness to offer higher limits for Reputational Harm, and organizations who are heavily dependent upon their reputation may need to consider markets that will offer them the limits that are adequate for their business needs.
What do I do if bodily injury or property damage results from a cyber incident?
Cyber Insurance policies traditionally have exclusions for both Bodily Injury and Property Damage as a result of a cyber incident. But what happens when a cyber incident is directly the cause for either? Insurance carriers are addressing a small part of this risk by adding explicit coverage, typically limited to the hundreds of thousands in limits.
If your organization’s operations involve a significant human exposure, like healthcare, then having Bodily Injury coverage on your cyber policy should be under consideration. Similarly, if your operations have a heavy property risk, for example in the manufacturing industry, then having coverage for Property Damage is worthwhile. This is important as the other policies that you might traditionally expect to cover these types of claims – General Liability and Property policies – could have exclusions for anything cyber related.
Cyber Insurance is evolving almost as quickly as the risk itself. Businesses need to keep a close eye to see how their coverage is changing, in addition to the costs for it. For help in assessing your cyber risk or benchmarking the appropriate limits for your business, contact us via the form below.