Get Ready: Cyber Insurance Underwriting is Changing

The underwriting process in cyber insurance has changed significantly over the past 12 months and two major factors are at play. The first is an increase in claims frequency and severity from ransomware attacks, which have led to more business interruption losses. The second is claims under new and evolving consumer privacy legislation, such as the General Data Privacy Regulation (GDPR), Biometric Information Privacy Act (BIPA), and California Consumer Privacy Act (CCPA).

It's worth noting that BIPA litigation may be setting the stage for other similar cases under CCPA. And CCPA is just the beginning. Other states are considering following suit and that could open the floodgate for more, similar claims. On top of this, insurers are bracing for the impact that COVID-19 will have on cyber risks this year.

As a result, cyber insurers are tightening their underwriting guidelines and clarifying coverage intent in their policy language. Here's what you need to know to prepare if you're purchasing cyber insurance for the first time or headed into a renewal in 2020.

What's Changed in Cyber Insurance Underwriting?

While first time buyers of cyber insurance policies have to complete a detailed application, existing buyers have been able to complete a simplified version.

Historically, cyber insurance renewal applications have required a minimal amount of high-level exposure information such as updated revenue, number of records, and only the material changes to the business or cyber security and data privacy practices. That's not enough for underwriters anymore.

Now, underwriters are asking for more details to better understand the risk they are insuring. We now commonly see underwriters delving deeper into the details around the specific practices, controls, and protocols in place to prevent or mitigate specific types of threats, such as ransomware attacks.

Another trend we're seeing in response to increasing cyber risks is clearer policy language. Insurers are now communicating more explicitly about what types of events can trigger a cyber policy, and what losses the policy pays out.

One example of a clearer policy event trigger is the war exclusion found in most commercial insurance policies, which intends to exclude loss arising out of war, warlike actions, terrorism, or state-sponsored attacks. That exclusion in cyber policies was not meant to exclude coverage for cyber terrorism, an attack (such as via a state-sponsored malware attack like NonPetya and WannaCry) that would disrupt a company's network.

The new, more specific policy language provides affirmative cyber terrorism coverage and works in the insured's favor.

Business interruption (BI) is another area of coverage where we are seeing changes in insurer appetite. The scope of BI coverage had rapidly expanded in recent years to include outages caused by vendors ("contingent" or "dependent" BI) and unexplained or non-malicious events ("system failure"). Due to an increase in ransomware attacks, underwriters are now starting to sublimit or remove these expanded BI coverage features.

Cyber insurers have clearly shown an intent to reduce ambiguity in their policies. Innovative coverages are no longer being "thrown in'' to cyber policies. In the past, when new coverages appeared in the market, they were made readily available by most insurers for little to no additional cost because they gave insurers a competitive advantage in a softening market.

Now coverage and pricing are more reflective of the actual risks and exposures that insurers are comfortable insuring.

How to Prepare: 5 Key Steps

Whether you are placing cyber insurance for the first time or headed into a renewal, preparation is going to be key to meeting the rigorous demands of the insurers. Here are five key steps to ensure the best possible outcome during the cyber insurance placement process:

1. Get your teams ready. Do not plan on assigning the insurance application or renewal process to just one person in the company—not with the level of information now required by the insurers. When it comes to preparing for the necessary and relevant topics and questions, you'll need the input from experts on various teams—compliance, legal, information security, and so on.
2. Gather the information. Insurers are looking for specific information around your current enterprise information security practices and protections such as:
   1. Preparedness and compliance with privacy regulations, and what actions are being taken around due diligence and implementing policies, controls, and procedures
   2. Protection against ransomware threats, and reviewing audits and penetration testing to find out how your company is addressing any deficiencies
   3. Awareness and protection around network interruptions and better understanding of your backup procedures, business continuity and incident response plans, including how you're testing them and what the results are
   4. Vendor management controls if your business relies on third-party vendors for any key information technology and security services. The insurers will want to know your third-party vendor vetting process, and if they are subject to the same standards that you would have internally.
   5. Be aware that you might be seeing more questions specifically around COVID-19, such as how you're responding to increased cyber risks with employees now working remotely, and how you're training employees to avoid phishing and other social engineering scams.
3. Review current controls and policies. Once you have gathered all the necessary information and documentation, it's time to do a review. Do you have best practices in place that the underwriters will want to see? If you are missing certain controls or processes, are you working on them now or are they in the pipeline?
4. Address any deficiencies and vulnerabilities. If you've discovered deficiencies and vulnerabilities during your internal and/or external risk audits and assessments, now is the time to start addressing them.Keep in mind that insurers are using similar tools, such as threat intelligence reports, as part of their underwriting process to monitor and scan a company's networks for vulnerabilities.If any are detected, underwriters will want to know that you have taken some type of action, or at the minimum have outlined a plan to address and remediate these vulnerabilities. That's even if the plan needs to be rolled out in phases and may take you a few months to fully implement it.
5. Highlight improvements. This is one of the most important steps: Articulate clearly to the underwriters the investments and improvements you are making in cyber risk mitigation.Details and transparency matter here and can make or break the outcome. Rather than responding with "yes" or "no" answers on an application, the ideal approach is to convey these details via an underwriting meeting or call. This is where you have the opportunity to speak directly to the underwriters and highlight all the efforts and projects completed in the past 12 months, and provide insight into what's in the pipeline for the next 12 months.

Not all companies will need to do an underwriting meeting. Proceed with completing the application and then offer the underwriters a chance for a follow-up meeting or call. This will give them the opportunity to ask questions about any of the responses on the application or areas of concern.

Trends in the Underwriting Process

Let's now turn our focus to some common approaches we're seeing during the underwriting process today. We've seen many of our key cyber insurers implement at least one or a combination of the following to get more details and better understanding on a company's due diligence process:

1. Requiring a ransomware supplemental questionnaire, asking specific ransomware threat-related questions around backups and recovery, multi-factor authentication, vendor management, email security, employee training, and other network protections.
2. Requiring a network business interruption supplemental questionnaire, asking specific questions around business continuity plans, incident response plans, and restoration and recovery procedures.
3. Asking specific questions around measures taken to prepare for compliance with all applicable industry and privacy regulations, and tracking legislative developments.

If the company's responses are not favorable, the outcome could be one or more of the following:

1. Limiting the scope of coverage by modifying policy language to specifically include or exclude a specific coverage grant. For example, for business interruption coverage, you have "security failure" coverage (malicious attacks or events, which is more often a standard grant) and "system failure" coverage (unexplained or non-malicious events, which is not standard as it's seen as a higher risk). Some insurers will only give security failure but not system failure coverage.
2. Putting a sublimit to the coverage. For example, instead of full policy limits being available for a particular coverage, it may only be a small sublimit amount between 10% to 50% of the total policy limit that is available.
3. Charging an additional premium to grant coverage. Insurers may be comfortable with insuring a particular risk, but will want to charge to grant the coverage. So, going back to the example in Bullet 1, insurers might charge 10% to 20% more to give business interruption coverage for "system failure."

Preparing for a Better Outcome

In order to get a better outcome in today's cyber insurance placement or renewal, invest more time into the process.

Prepare by following the tips in this article, making sure you are thoughtful when articulating your unique risks and insightful when providing information around your controls, processes and procedures.

One last recommendation is to start early. Aim for 90 to 120 days ahead of the renewal or inception date. When in doubt, ask your broker. Following these recommendations will set the stage for a more favorable outcome such as better rates and coverage in a cyber market where risks and claims continue to increase and evolve.