Cyber insurance: why are so many companies suddenly uninsurable?

Published on 19th August 2021 Author: Rob Black

Thankfully, football season is upon us! And I make no secret about being a long-time and unwavering New England Patriots fan. Even though Tom Brady has moved on, I remain as dedicated as ever to the massive men in red, white, and blue.

Like most New Englanders, my interest in the Patriots began when I was a kid. My love of attending games, however, really took off when I met Tony, a close friend of my father-in-law, himself, a misguided NY Giants fan.

Tony was a season ticket holder since 1969 and almost never missed a home game (including preseason). At some point, he started inviting me to join him. I think he liked my knowledge of the roster and how well versed I was in Patriots history.

Sadly, Tony passed away in late 2018. But we had a great time together over the years: pregame tailgating, rides to and from the games, heckling my father-in-law about his love of the godforsaken Giants.

I think about Tony a lot during this time of year. As the old saying (and glam metal song) goes, “You don’t know what you got till it’s gone.”

You know what else can no longer be taken for granted? Cyber insurance coverage!

Indeed, as the CEO of insurance giant AIG, Peter Zaffino, recently explained, “We continue to carefully reduce cyber limits and are obtaining tighter terms and conditions to address increasing cyber loss trends, the rising threat associated with ransomware, and the systemic nature of cyber risk generally.”

In plain English, that means two things: reduced coverage and higher fees … even among companies that have been paying faithfully for years with zero cyber incidents! I have even spoken with prospects and clients who cannot get cyber insurance coverage at all.

I suppose we shouldn’t be surprised. Cyber insurance is super-profitable when there are few incidents requiring a payout. Today, of course, and given all the recent cyber-attacks and breaches, all that has changed, as has the cost and availability of coverage.

This is troubling for two reasons:

First, it prevents companies from managing risk.

The entire purpose of buying insurance is so that you can transfer risk to a third party. But if you can’t get sufficient insurance, it’s like owning a home with no coverage – your valuable asset is no longer protected.

Second, it’s a signal that insurance carriers are losing faith in the business community’s ability to protect itself.

Looking for earthquake insurance? It’s cheap in Boston. It’s expensive in San Francisco. It’s unavailable in a location that experiences an earthquake every other day. Well, at the moment, the insurance industry is telling businesses that they are sitting atop a major fault!

As a whole, company cybersecurity programs are terrible, and they are not taking sufficient steps to remedy the problems. In the eyes of the insurance industry, they are simply not worth the financial risk.

A Strategy for Obtaining / Maintaining Cyber Insurance

#1. Speak with your broker.

Do you know the reasons why you were denied/reduced coverage? Can your broker identify other carriers who might cover you?

Yes, it’s possible that you are truly uninsurable. But it’s also possible that your broker prefers to deal with just a few carriers (none of whom will work with you) or is not well versed in this complicated and fast-changing discipline. If your current broker can’t help, consider identifying someone who can.

#2. Address the underlying security challenges.

Reasons for denial can be a bit mysterious. That said, the standard requirements are not particularly onerous or hard to figure out. Not to say that implementing these things will miraculously change everything, but if you don’t have these in place, you’ll most certainly run into some roadblocks:

Anti-virus (AV) on every laptop. This can be challenging for developers because of the performance hit. Absent that, there are few good reasons for not implementing AV company-wide.
Multi-factor authentication (MFA) for every service. Sure, MFA can be a mild inconvenience. You know what else is inconvenient? Having the bad guys log into your systems!
A firewall on your network. This one should not be a problem for any organization. There are many economical choices and the downside far outweighs any cost or convenience objections.

Conclusion

Cyber insurance, like good friends, is something that most people don’t give a lot of thought to … until it’s gone.

That’s unfortunate, since as the value of your asset (i.e., your business) grows, so too does your degree of risk. If you are not adequately covered, especially in today’s increasingly threatening environment, you are rolling the dice with each passing day.

Gotta run! There’s a Patriots preseason game tonight and I don’t want to miss a minute of it.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).