Changes in Cybersecurity Insurance

The NIST Cybersecurity Framework (CSF) identifies 5 categories that are required to enable a stance against Cyber Attacks.

For most organizations one of the first approaches is to establish a Cybersecurity Insurance policy which falls into the Recovery category, which is the last function within the NIST CSF. This approach is designed to support transfer of responsibility and also make funds available when attacks are successful. The problem with this approach is that an attack still happens which causes impact on multiple levels. These levels range from reputational damage and disruption of operations all the way to the need to rebuild a new protected infrastructure.

The unfortunate aspect is that both business owners and insurance carriers were under the illusion that just having a policy in place was the correct approach. For the last 5 years, carriers have allowed organizations to establish these cybersecurity insurance policies with ease; however, the processes around Identification, Protection, Detection and Response were not in place. This has caused carriers and businesses to be negatively impacted financially. In response, carriers have now modified the requirements needed for organizations to establish a policy.

The modified requirements are centralized around how businesses have established controls or technology in place not only to address the first four categories (Identification, Protection, Detection, and Response) but also demonstrate maturity around them. This allows insurance carriers to provide a policy that would effectively support the organization in the worst case scenario, ransomware, while at the same time minimize their risk on investment.

From a technical perspective the following mechanisms are needed:

• Email Security

• Endpoint, Detection and Response (EDR)

• Next Generation Firewalls

• Multi-factor Authentication

From a process perspective the following Services are needed:

• Continuous monitoring and response to security events

• On going training and awareness of employees

Haven is a  military grade cybersecurity as a service package that meets all requirements needed in order to  establish such policies.   Aside from meeting these requirements, Haven will create a protection first approach which in essence reduces the need for a cybersecurity policy.    

Summary: 

• Continual growth seen in claims is leading to larger policy rates

• Carriers adding limits to the policies

• Support and claim turnaround times are increasing due to an increase in volume of claims

• Services and coverages within the policy are being excluded

• Requirements to achieve baseline requirements to be granted a policy are increasing

For more information please contact an account executive.