Q&A: Insurance and Cybersecurity Policies
One of the greatest challenges insurance agencies face here in New Hampshire is the growing challenge posed by insureds not having adequate cybersecurity risk controls.
The Rowley Insurance Agency in Concord provided the following insight into how fellow New Hampshire insurance firms can provide the best ransomware protection policies for their clients given the complexities involved.
In just a few short years, we have seen the frequency and severity of global cyberattacks turn the U.S. insurance marketplace upside down.
For a newer product just 14 short years ago, we have seen a transformation of a product design to provide private information become one of the most important lines of insurance that provide true business continuity regardless of the size or industry segment.
It is hard to turn on the news today without hearing about ransomware attacks of insurance companies such as C.N.A. to the shutdown of the Colonial Pipeline.
Ransomware attacks rose 92.7 percent from the 2020 levels, and trends of an additional 62 percent increase for the upcoming year.
So, what are some of the best ways New Hampshire insurance carriers can meet this challenge?
Christine Holman, Executive Vice President, Rowley Insurance Agency, Concord
Q: What are some of the minimum requirements carriers need to look at?
A: Given the significance of ransomware attacks, insurance companies are pushing more proactive risk management requirements on to the insured. Most carriers require minimum-security controls in order to be considered for terms:
• Multifactor authentication on remote access, privileged accounts and e-mail access
• Endpoint detection and response on at least 95 percent of an applicant’s end points
• Fully segregated back-up secured with separate credentials. (Some carriers require this to be cloud-based back-ups only.)
• Phishing training for employees
• 24/7 security operations center
Q: What are some of the most important exclusions and limitations to consider?
A: Markets continue to amend coverage with exclusions running the gambit from common endorsements to very specific coverage restrictions in response to a particular scenario. Most carriers now sublimit ransomware, particularly on tougher risks, and many are attaching coinsurances on ransomware as well, with some pushing coinsurance regardless of controls in place.
We are also seeing dependent business interruption and dependent system failure sub-limits in the current market. Many carriers are introducing widespread event restrictions, which speaks to systemic supply chain exposures. Some are limiting widespread event exposure with coinsurance and others outright excluding coverage.
We are also seeing a resurgence of the “failure to patch” exclusion from cyber-yesteryear where markets are applying coinsurance based on how late insureds are in updating systems.
Q: What is the best advice you can offer to help insurance carriers better serve their clients?
A: The best thing agents and brokers can do for their clients is to think like an underwriter and communicate the importance of mitigating risk with security controls. While agents and brokers may not be cybersecurity experts, there are services available to insureds that provide guidance from cybersecurity professionals to help them implement proper controls to get the best terms possible in the marketplace.
Additionally, many carriers have pre-breach services available as a benefit to policyholders, and taking advantage of this perk could make a difference in the next renewal. Insurance agents should be touching base with insureds mid-term to discuss their security posture and encourage them to start the renewal process early for the best opportunity to find the coverage they need.
CHRISTINE HOLMAN
Executive Vice President
Rowley Insurance Agency
