Poor Cyber Hygiene? Insurance Carriers May be Wary of Your Business

The last eighteen months have seen a significant increase in cybercrime, with high-profile ransomware attacks and theft of customer data. If you’re wondering how this risk affects your business, you’re not alone.

Your insurance carrier is wondering how this risk affects your business too.

Good cyber hygiene is fast becoming a prerequisite for coverage. Insurance carriers have stopped renewing or issuing policies for companies that have not adopted cybersecurity best practices. Over the next two years, it won’t be a matter of increased costs for cybersecurity insurance, but whether your company can qualify for coverage.

How it Came to This Point

The pandemic has grabbed most of the headlines since early 2020, but it was far from the only global threat demanding attention. Ineffective cybersecurity at corporations large and small has driven a boom in cybercrime — and the pandemic has made the situation worse.

The transition to a remote workforce, cloud-based platforms and increased use of personal mobile devices all make cybersecurity more difficult. In response, cybercriminals have stepped up their activities.

You’ve probably read about the high-profile breaches in data security. Cybercriminals pursue their “whales,” but they also target smaller companies on a daily basis. Cost of Data Breach Report sponsored and published by IBM Security, estimates that data breaches had an average cost of $4.24 million in 2021. The attacks come from criminals, hackers and other global state or non-state actors.

If your company’s cybersecurity has weaknesses, you’re risking ransomware attacks, data theft or disruption of critical business functions. These malicious acts damage or destroy longstanding customer and supply chain relationships. Brand value can disappear overnight. Regulators can impose penalties for compliance violations.

Remediation and rebuilding trust, where possible, will be a long, costly process.

Insurers Don’t Want the Risk

Too many businesses see their insurance coverage as a substitute for the discipline of good cyber hygiene. If you’re counting on offloading that risk on your insurance carrier, prepare to be disappointed. Moving forward, insurers will require more comprehensive cybersecurity risk analysis before writing or renewing policies. Expect higher premiums, tighter coverage and denial of claims if your company has let cybersecurity slip. You may find that you can’t renew or obtain cyber insurance without implementing best practices.

Before they write or renew a policy, insurers will want to see a much stronger corporate commitment to cybersecurity. According to Cybint, a global cyber education company, human error causes 95% of all cybersecurity breaches. Improving cybersecurity requires a cultural transformation. Management has to promote cybersecurity awareness and effective policies. Associates, for their part, must adopt a new mindset, one that recognizes threats and embraces responsibilities.

How to Manage Your Cybersecurity Risk

Once you conclude that your company’s cybersecurity needs improvement, it’s time to get granular.

You need a cybersecurity assessment, to evaluate the strength and integrity of your network security architecture, policies, procedures and practices.

An effective risk assessment and gap analysis will define your current state of cyber hygiene and provide a roadmap to your desired state. It identifies systemic threats, vulnerabilities and the resulting risks to your business. With this assessment complete, you and your colleagues can implement best practices.

An experienced cybersecurity advisor will assess your company’s cybersecurity posture. The assessment should cover multiple domains, including access control, identification and authentication, and system and communications protection. You can see how your cyber hygiene compares to industry standard practices and effective cybersecurity frameworks.

Share the findings and recommendations with your employees, where appropriate. This will help drive a cultural shift, where people learn to connect their everyday actions and habits with enterprise security. You can also review your assessment with insurers, to demonstrate your commitment to accountability and continuous improvement.

Charting a New Path in a Changing Insurance Landscape

Insurers are taking a more detailed view of how they manage underwriting and claims. It makes sense for companies to re-evaluate the way they manage risk, too. You may want to talk to different carriers about specific data breach scenarios and first-party and third-party cyber liability coverage. Compare the policy exclusions, to make sure you have appropriate coverage, suitable terms and conditions, and acceptable costs.

As in any rapidly changing market, some insurers will embrace the challenges of cybersecurity, while others look for the door. Companies that make meaningful improvements in their cybersecurity should ask for better coverage options. They need insurers who have a clear-eyed view of risk and are ready to work with companies who know how to manage it.

If you plan to assess and manage your company’s cyber hygiene, we can help. Windham Brannon offers a suite of cybersecurity and virtual Chief Information Security Officer services aligned with your business goals. You can count on us for cybersecurity assessments, strategic planning, program design, staff training and ongoing monitoring.

To learn how effective cybersecurity can support your strategic business goals, contact an advisor at Windham Brannon.