2022 was the year that changes in the cybersecurity insurance market started to pop up on business leaders’ radars. Unfortunately, it was usually in the form of a significant increase in the cost to renew a cybersecurity insurance policy or an increase in minimum security requirements to be eligible for coverage. Many of you may be wondering what to expect for 2023. As with most predictions about 2023, the answer is mixed.
The good news is that most experts think that insurance rate increases will finally begin to stabilize. Previous rate increases combined with a recent downturn in ransomware payouts have helped stabilize the insurance industry. While some customers have seen coverage rates jump as much as 400% in the past couple of years, there is hope that moving forward rate increases won’t be the budget-busters they’ve been recent.
Flatter prices, however, don’t mean there won’t be changes. Insurance companies are expected to continue to tighten their underwriting requirements. Expect to see insurers increase their requirements for the implementation of security tools within your environment, more stringent reviews of your incident response plans, reduction of coverage for events that should have been prevented, and limiting maximum payouts.
The executive summary is that if you want cybersecurity insurance for your business in 2023, you’re going to have to continue to focus on improving your security practices. Let’s take a closer look at some of the areas, everyone should be paying attention to in 2023.
Misconfigurations Are the Biggest Threat
Given the complexity of modern networks, it should come as no surprise to anyone that simply installing a security tool isn’t adequate to protect against today’s sophisticated criminals. If the security tools aren’t configured to both match the unique requirements of your network and protect against emerging threats, cybercriminals will find those deficiencies and exploit them.
A recent report from Microsoft found that over 80% of ransomware attacks can be traced back to the misconfiguration of cloud services and security settings. Gartner predicts that for the next two years, 99% of all cloud security failures will be the customer’s fault. The cloud service providers have built security into their products but customers aren’t configuring and using those security features properly.
Many cloud service providers are moving to a shared responsibility model.
Considering that ransomware attacks are the leading cause of cyber insurance claims, it’s unlikely that insurance companies will be interested in continuing to pay out claims to companies that brought this upon themselves by not properly configuring their security tools.
To help detect these misconfigurations in advance, insurance companies are beginning to use network scanning technologies to detect security weaknesses. With this “inside-out” underwriting model, your insurance rates and general insurability will be based on the results of this security scan. The more vulnerabilities they detect, the higher your rates until the insurance company decides your business is uninsurable.
Insurers Are Reducing Coverage
Even if your business is able to get cybersecurity insurance, your coverage will likely be limited compared to what you have today. Payout limits have been reduced over the past couple of years even while policy rates have increased. Those payout limits are expected to stabilize in 2023, but they will be lower than what you had two years ago.
It’s important to remember that there are several parts to a comprehensive cybersecurity policy.
- Network Security – this covers the direct costs of a security incident, including IT forensics, ransomware payments, and data restoration.
- Business Interruption – this allows for the recovery of lost revenue and other expenses incurred while the network was down.
- Errors and Omissions – this covers issues where your security incident prevented you from doing something you were contractually obligated to provide to someone else; for example, failing to pay a vendor on time because of a ransomware attack.
- Privacy Liability – this covers the escape of financial and personal information, covering both lawsuits and governmental fines.
Because the majority of security incidents are now caused by misconfiguration, insurance providers are adding clauses that revoke coverage if the business didn’t take adequate steps to prevent the attack. The attackers got in because your multi-factor authentication implementation wasn’t configured properly: coverage was denied. A ransomware attack crippled your servers, and you didn’t have proper backups that would have allowed you to quickly restore the servers: coverage denied. Even if you think you’re fully insured, any lapse in your security implementation can mean your business will find itself self-insured after the fact.
How to Protect Yourself in 2023
The good news is that the requirements being imposed by insurance companies are easy to comply with, as long as you’re willing to follow their guidelines and invest in proper configuration and implementation.
Some insurance companies are now providing a list of preferred security solutions for the various security elements they require. Even if your insurance company doesn’t provide a list, by following lists approved by other insurance companies you’ll help ensure you haven’t missed something important. Your organization may even already be running the preferred solutions, so this activity could be as simple as ensuring you have the latest versions.
As mentioned already, even having the preferred solutions isn’t enough. They must be configured properly. This is where it’s important to have security experts that are not only familiar with individual security tools but also with how the combination of different tools work (and don’t work) together. These security experts will also need to evaluate the specifics of your company network to ensure there aren’t any security holes due to a unique configuration.
Once you have the right security tools and they’re properly configured, you need to plan for when they fail. Security incident planning should be similar to planning for a fire. When there is a fire drill in a commercial building, rather than making things up on the scene the people running the drill follow a printed emergency response plan that is regularly reviewed to ensure it is up to date. During an emergency you don’t have time to evaluate alternatives, so the plan must consider multiple scenarios and contingencies.
Your security incident/disaster response plan needs to be the same. Have you recently tested your backup process? Can you restore all your critical services using only the resources that would be available during an attack? If not, it’s like never testing the building’s sprinkler system and just assuming it still works as it should. What if your server admin was on vacation and off the grid? Do others have the necessary login credentials and admin rights to act in their place to begin restoring servers? These are the types of planning details you can expect insurance companies to ask for moving forward.
If you can’t show you have a well-thought-out plan, the insurance company knows from experience that you’re more likely to have an incident with a bigger disruption and bigger payout, and they will increase prices and reduce coverage accordingly. But when you combine an up-to-date security infrastructure with a quality incident response plan, your insurance renewal process should be easier, and you should qualify for better rates.
Now is the time to start to prepare. Review your security tools to ensure they meet today’s insurance requirements. Review all the configurations to make sure there aren’t misconfigurations that will increase risk and reduce coverage. And update or create your security incident response plan so that it not only protects against cybercriminals looking to cripple your business but also insurance auditors looking to deny coverage.