Cyberinsurance Companies Raising Rates, Tightening Requirements
- By Kristal Kuykendall
- 02/04/22
Last year saw alarming growth in the number of cyberattacks targeting North American universities, and the costs of ransomware attacks continued climbing as well. Now industry experts are warning that cyberinsurance premiums will skyrocket this year across all sectors as underwriters crack down on the amount of risk they'll accept — and insurers have begun requiring organizations buying policies to prove that their network security is in tip-top shape before they even get a quote, let alone active coverage.
The 2022 Cyber Market Conditions Report from Gallagher Risk Management Services projects that cyber policy premiums will be 100% to 300% higher for organizations that do not have "best-in-class" security controls in place — if they are provided a quote at all.
Education organizations likely face the steepest premium increases, since research has suggested they are furthest behind on network security: In a Public Sector Cybersecurity Survey Report last month, SolarWinds found that a majority of education respondents have not improved their cybersecurity detection or resolution capabilities despite the growing threat landscape.
Universities and school districts have already seen some impact from the changing insurance market: One K–12 district in Illinois recently revealed that its annual premium jumped 334% to over $22,000, and a California insurance executive reported that her education-sector clients were declined for cyberinsurance 37 times last year while her clients who found coverage saw deductibles climb from $25,000 to $1 million and premiums increase as much as ten-fold.
Richard Seiersen, chief risk officer at Resilience Insurance, said the rush to digital transformation during the pandemic and the sharp increase in cyberattacks have created a kind of "perfect storm" for the cyberinsurance market. Formerly a chief information security officer at several worldwide organizations, Seiersen has consulted for higher ed institutions on cyberinsurance and security; his second book on cyber risk management comes out next month.
Prior to the pandemic, as the cyberinsurance market grew, insurers "were not that discriminating in who they would cover," he said. "Insurers would not necessarily take into consideration the value of your controls, as in, how good is the security of the organization being insured, nor were insurers considering the value at risk, like how valuable is the data being controlled and potentially insured?"
What was more common among cyberinsurance underwriters was a "benchmarking approach where an insured organization looks like this other insured organization, so those similarities would determine their policies," Seiersen said. "They'd insure almost anyone with no idea what security controls they had in place."
As a result, the cost of insurance is going up so insurers can recover from those losses, and it's getting harder to obtain cyberinsurance coverage.
"If you can't demonstrate your cybersecurity fitness, you won't be able to get coverage," he said. "It is great motivation for the insured to actually get healthier, so to speak, just like with auto insurance providing incentives for their customers to drive slower and so forth."
Gallagher Managing Director of Cyber Practice John Farley echoed this in his 2022 Cyber Market Conditions Report: "Ransomware attacks continued to ravage the bottom lines of both their victims and insurance carriers. In fact, during the first six months of 2021 we saw $590 million paid in ransom payments, as opposed to $416 million paid in all of 2020."
But ransom payments are only a fraction of the total bill for a cyberattack, the report said: "The latest studies revealed that over the past year the average downtime from a ransomware attack was 23 days with average business interruption losses and other costs increasing from $761,106 to $1.85 million in 2021."
The Big Changes in Cyberinsurance in 2022
Farley's report summarized four key changes that will affect cyberinsurance buyers and their budgets this year — if they haven't already:
Rate increases. Cyber premiums are increasing across the board, regardless of the industry sector or size of the organization. Cyber underwriters are "being cautious or even moving away from" specific industries, including municipalities, public schools and higher education.
Coverage limitations. Many carriers have begun imposing "sub-limits and co-insurance provisions specific to ransomware claims, often resulting in coverage being limited to 50% of the policy limit or less." Certain carriers added "exclusionary language to specific known vulnerabilities; failure to remediate these could lead to a denial of coverage for losses attributed to them."
Capacity constriction. There hasn't yet been a mass exodus of insurers leaving the cyber market, but there are "clear indicators that carriers want to limit their exposure through limiting capacity," with policy limits routinely being reduced to half of prior amounts.
Greater underwriting scrutiny. Almost all carriers are requiring far more details about a potential insured's data security control efforts. Organizations can expect many questions on their current ransomware prevention and mitigation efforts, if not a full security audit.
What Cyberinsurance Policies Will Likely Require
ConvergeOne, a nationwide provider of cybersecurity services and digital infrastructure, is working with school districts, higher ed institutions and organizations across many sectors to analyze their network security and prepare for the detailed assessments insurers are now requiring before a policy can be purchased.
Senior Director of Cybersecurity Chris Ripkey said education organizations without mature security systems in place will no longer be able to use their cyberinsurance policies as a "get of jail free card" when cyberattacks occur.
"Cybersecurity is just one more area schools and universities are being forced to deal with — and there have been a lot of changes on the cybersecurity landscape in a short amount of time — and they have to do all this on a very limited budget," Ripkey said.
Education institutions shopping for or renewing their cyberinsurance, he said, can expect to be asked to demonstrate that they have the following protections, at a minimum, in place:
- Multi-factor authentication;
- Antivirus and malware protection;
- A mature data privacy program to protect student and staff information;
- A robust patch management system;
- A managed endpoint detection and response services; and
- Immutable backups separate from the rest of the infrastructure.
"The cyberinsurance brokers will ask for all this information in a self-assessment, and if you don't meet the minimum requirements, they are not going to insure your (organization), or your premiums are going to be a lot higher," Ripkey emphasized. "Our advice is to do your own full assessment before shopping for insurance — take stock of your security practices and where you stand."
For smaller campuses without a chief information security officer on staff, he recommends either contracting with a virtual CISO service, or start a self-assessment using the free Top 18 Critical Security Controls guide from the Center for Internet Security.
With the changes in the cyber market pushing demand for on-demand cybersecurity expertise such as virtual chief information security officers and cybersecurity auditing and advising, ConvergeOne recently introduced Cyber Recovery as a Service, enabling its clients to use an air-gapped cyber vault to successfully recover their data from ransomware attacks without having to pay a ransom. The service includes proactive monitoring and other protective steps to help fend off attempts at cyberattacks as well.
Later this month, Ripkey added, the company will launch a cyberinsurance advisory service. "It is a point of discussion now with our clients, but this will be a uniform service offering a deeper dive and assessing client cybersecurity health before they shop for new cyberinsurance or update their existing policies," he said.
Another thing Ripkey said education organizations should consider when buying a policy is whether the insurer has expertise in cybersecurity, and which vendors the insurer is contracted to use for remediation or recovery in the event of a cyberattack.
Seiersen — who left his career as a CISO to lead Resilience's specialization in the cyberinsurance market — advised this as well. "You get what you pay for," he said. "The cheaper the policy is, the more exclusions and lower limits and even sub-limits it will have. Look for insurers who have actual operational expertise."
Although the stricter requirements for cyber coverage are likely to come as a shock to many education budgets, Seiersen predicts the bigger impacts on the education sector and specifically education IT departments will be positive.
"From my perspective as a longtime cybersecurity guy, I see the good side of this: Organizations can no longer just transfer their risk without keeping their security up to speed — they will have to expand their security capabilities to get coverage," Seiersen said. "In the future, I believe that cyberinsurance requirements will be a prime driver in how organizations build their security programs and their budgets; instead of the general counsel or chief financial officer exclusively calling the shots on cybersecurity budgets, it'll be the CISO, and that all will work to dramatically reduce the likelihood of security losses from cyberattacks."