Cyber Insurance Blog

Cyber Insurance Requirements Must Match “Imperfect Insureds”

Cyber Insurance Requirements Must Match “Imperfect Insureds”

Ransomware attacks, data breaches, and other cyber incidents continue to rise, especially against small businesses. More small and medium-sized enterprises (SMEs) are adopting cyber security controls to meet carriers’ Cyber Insurance requirements. Unfortunately, adoption rates are still sluggish considering today’s ever-accelerating cyber security risks.

This conclusion comes from a recent ProWriters analysis of Cyber Insurance policy applications from SMEs. Among companies with less than $50 million in revenue, says Brian Thornton, chief executive of ProWriters, “cyber security controls are moving in the right direction—but still moving slower than people probably think.”

The slowly improving situation has implications for how insurance carriers and brokers do business. Read on for details about how both can thrive in the current environment.

Six Cyber Security Controls Today’s Insurance Carriers Demand

When carriers evaluate whether a business represents a “good risk” for Cyber Insurance coverages, they want to know what cyber security controls the business uses. The more controls in place, the lower its cyber security risks, and the less money it is likely to cost the insurer over the contract’s life.

Thornton identifies six controls carriers typically include among Cyber Insurance requirements:

  1. Knowledge authentication factor
  2. Possession authentication factor
  3. Inherence authentication factor

These three factors are the essential components of multifactor authentication (MFA). MFA increases data security more than relying on usernames and passwords alone.

 Businessman enters username and password on tablet computer, smartphone nearby ready to use facial recognition as part of MFA.

  • The knowledge factor is something a party requesting access knows (like a password, security question answer, or PIN).
  • The possession factor is something a party requesting access has (like a smartphone, smart card, or hardware token).
  • The inherence factor is something specific and unique to the party requesting access (like their face, fingerprints, or retinal pattern).

“[A]ccording to industry research,” state the FBI and CISA, “users who enable MFA are up to 99 percent less likely to have an account compromised.”

4. Endpoint Detection and Response (EDR)

More advanced than MFA, EDR continuously monitors network-connected servers and devices (endpoints) in real time.

EDR flags potential and actual threats as they occur. It also facilitates rapid responses to cyber attacks by identifying affected systems, constructing incident timelines, and gathering cyber security artifacts for forensic IT investigators.

5. Secure email gateway (SEG)

SEGs automatically analyze incoming emails. They ensure legitimate messages reach intended recipients, and they filter out spam and phishing emails, malicious attacks, and fraudulent content. SEGs can also analyze outgoing messages to prevent sensitive data from leaving the organization.

6. Segregated backup systems

Segregated backups store an organization’s data in locations not connected to the organization’s network. External hard drives in another place, cloud storage, and separate, unconnected servers are all examples.

Segregated backups can also help a business get back up and running more quickly after a cyber attack.

Carriers Need Tech and Teams to Handle Imperfection and Uncertainty

All six of these controls greatly reduce an organization’s cyber risk. As Cyber Insurance requirements, they make sense, especially as carriers automate application and underwriting processes.

Broker smiles as she sits using laptop computer on desk, discussing Cyber Insurance requirements with client on phone.

But Thornton doesn’t think carriers should require all six when writing Cyber Liability Insurance policies. As ProWriters’ analysis of data from applications shows, too few SMEs meet that criterion.

Consider MFA alone. It’s one of the most readily available and affordable controls businesses can use. But ProWriters’ analysis revealed:

  • Applicants are adopting MFA, but slowly, and 67% of all applicants don’t have basic MFA controls in place. That figure is down from 78% a year ago—but not by much.
  • More advanced controls such as EDR are growing, but at even slower adoption rates (for example, 28% for EDR versus 33% for MFA).
  • When looking for quotes, most retail brokers (59%) don’t know whether their insureds use MFA.

ProWriters found only 18% of applicants can confirm they use all six of the cyber security controls carriers often want. When carriers require all six, they’re eliminating 82% of small businesses they might otherwise be insuring.

Even within the remaining 18%, Thornton notes, certain industry codes or other factors might prompt a fully automated review process to reject an applicant. Such rejections further narrow the field of potential insureds to less than 10% of the market, where competition for “the best of the best risks” is more intense.

“A carrier said, ‘We want to make sure every risk has MFA, EDR, and five other controls,’” Thornton recalls. “Our point was, ‘You’re going to find out that not many businesses have all of these controls in place, and where they do, there will be a lot of competition on those risks.’”

The vast majority of Cyber Insurance applications are imperfect, Thornton stresses, and “uncertainty is everything.” Carriers who design technology and processes to deal with this imperfection and uncertainty, and who train their teams to deal with it, will perform best.

People can’t be automated out of the Cyber underwriting process. Without human eyes on applications, says Thornton, “either bad data is going through and carriers are writing risks they didn’t expect, or they’re declining risks they might have been able to deal with, but they couldn’t do it on an automated basis.”

ProWriters Gives Brokers Powerful Technology With Personal Support

Automation can also help retail brokers. It can find opportunities, provide pricing guidance, save time on data entry, increase quoting efficiency, and more.

But Thornton cautions brokers, as well, against relying on fully automated platforms. Writing new business today necessarily means taking on imperfect insureds. Brokers’ platforms should be able to accommodate this reality.

“We designed our process to have our team in the office deal with all the uncertainty,” Thornton says of ProWriters. Its proprietary Cyber IQ Comparative Rate Platform, for example, is powerful and innovative technology. It allows brokers to generate Cyber Liability Insurance quotes from leading carriers in minutes.

But it also includes access to ProWriters’ dedicated team of experts who possess more than 20 years of experience. ProWriters’ people can help brokers navigate uncertainty in today’s Cyber Insurance market, even as brokers help clients become better risks by implementing more cyber security controls carriers want.

Schedule a call now to find out how ProWriters can help you grow your book of Cyber business.

Subscribe to Our Monthly Newsletter!

    Retail vs. Wholesale Brokerage

    Experts Weigh In

    Get the eBook