In cyber, it's often what we don't know that can hurt us the most. Even though cyber risks have been around since at least the 1980s, the growing and evolving threat of cyber attack keeps changing not just the landscape of cyber coverage, but also the very rules of the game itself. As a result, the Who, What, When, Where and all the other factors of coverage have come under the microscope as never before.

It was clear that for many companies, their liability was moving from the real world to cyber space. Today’s digital workplace has deepened and expanded cyber exposures.

Nick Carozza, RPS area vice president

The cyber insurance underwriting process is all about evaluating the risks when considering a business for coverage. Underwriters are keeping a close eye on what is included in cyber insurance policies as they evaluate the risks associated with the increase in cyber attacks.

But, too often, underwriters are going in blind, in part because cyber incidents can go unreported, preventing insurers from aggregating information about the incidents into a database to analyze.

Another challenge for underwriters in determining coverage is inconsistent terminology for policy terms. For example, "silent cyber risk" is also called "unintended cyber risk" and "non-affirmative cyber risk." Inconsistent terminology can lead to confusion about what is covered. With a stronger understanding of terminology, underwriters can decide how to best match coverage to the issue.

The New Risk Picture for Insurers

The recent trends in cyber attacks have changed what that risk picture looks like for insurers.

As RPS's 2021 Cyber Market Outlook explained, underwriters are now asking companies more strategic and detailed questions about their security safeguards and practices. They're taking a deeper dive into what companies are doing to mitigate cyber security risks, so they can best assess coverage.

This year’s changes in capacity, underwriting standards and even increases in premium were a necessary evolution. These changes should lead to most insurance companies having a more stable cyber book in the future.

Steve Robinson, RPS national Cyber practice leader

How can you help clients navigate this minefield? Here are some key actions your clients can take that address what underwriters are requesting. Be prepared to provide comprehensive information during the application process.

  • Back up data properly to prevent ransomware attacks. The U.S. suffered 65,000 ransomware attacks last year1 — more than seven attacks an hour. Because ransomware steals your data, you must have working backups of all your vital data, as well as any application or IT infrastructure that supports it. Make sure ransomware can't encrypt your online backups and that your data is segregated from other company systems. Back up your data often and regularly test your recovery process.
  • Check email security and filtering to thwart phishing scams. Phishing is one of the most common types of social engineering attacks. In a 2021 survey of enterprise IT professionals,2 74% of respondents said their organizations fell victim to a phishing attack in the last year, with 40% confirming they experienced one in the last month. Start by upgrading your company's email security and filtering systems. Educate employees about how to spot phishing emails and to not open suspicious links and attachments.
  • Protect all entry points to increase cyber security. Distributed workforces and the rise in working from home have opened more holes in a company's cybersecurity. Home offices aren't equipped with the same level of protection as company offices. Employees may be using personal devices to conduct business or for multi-factor authentication (MFA). Underwriters are upping their tech game by assessing an organization's security with the same scanning technology hackers use, identifying vulnerabilities that hackers could use as a network entry point — such as the lack of a firewall in a home office. Underwriters use this information to develop a metric-based estimate for a potential cyber attack.
  • Enforce MFA to stop password attacks. In a survey, 44%3 of employees said they reuse passwords across their personal and work-related accounts. Weak passwords, unwise password storage and sharing passwords with colleagues all contribute to attackers gaining access to a company's critical information. Advise employees of good password practices, implement MFA and install a lockout feature to freeze an account after multiple invalid password attempts.

Clients need cyber coverage more than ever, and underwriters need help building policies that work for all involved. By taking steps to align your clients' interests with those of underwriters, you'll be better positioned to secure this much-needed coverage at limits and costs that benefit all involved.

Sources

1Gura, David. "U.S. Suffers Over 7 Ransomware Attacks An Hour. It's Now A National Security Risk," NPR.org, 9 Jun 2021.

2"Fatigued IT Teams and Ill‑Prepared Employees Are Losing the War on Phishing, Ivanti Study Confirms," Ivanti, 20 Jul 2021.

3"Workplace Password Habits Leave Organizations Vulnerable to Cyberattacks," Keeper, accessed 28 Sep 2022.