IT Solutions

Cyber Insurance: Providers Are Upping Their Requirements

Articles
October 22, 2021

At the halfway point of 2021, the world had already incurred record-setting ransomware attacks on critical infrastructures, healthcare networks and even schools. Once thought to be mainly after corporate and personal data, cyberattackers have now proven themselves to be equal-opportunity offenders.

As a result of this onslaught (which was already horrible in 2020, and largely responsible for the 141% yearly increase in data breach activity), companies in all industries began considering cyber insurance. So popular has this business protection become that the total market is expected to grow 250% in five years — from $8 billion in 2020 to $20 billion by 2025.

This isn’t surprising, given that cybercrime cost the world more than $1 trillion in 2020, but it doesn’t mean organizations can afford to select their insurance provider casually. For companies at moderate risk of a cyber-attack, cyber insurance premiums can range from $650 to $2,350 for liability limits of $1 million with a $10,000 deductible.

Furthermore, cyber insurance firms are becoming weary of this problem. Cyber insurance payouts now top 70% of premiums collected, which is widely considered to be the break-even point. With a 400%-plus increase in ransomware cases in 2021, and skyrocketing extortion demands, cyber insurers are being forced to adjust their requirements. To stem these losses, many policy renewals are carrying new, stricter rules.

Two requirements that have become fairly ubiquitous are two-factor authentication (2FA) and endpoint detection and response. These are critical protections for every firm, so requiring them is a no-brainer at this point.

Two-Factor Authentication (2FA): 
No password easy enough to remember is hard enough to crack, and writing down passwords or storing them in (or on) a computer is like delivering an engraved invitation to a hacker. With 2FA, users are required to provide two pieces of information to verify their identity. The first “factor” is their username and password. After that, they can select their second factor from three types of information:

  • Something they know, like an additional passcode.
  • Something they have, like a phone that can receive a one-time authorization code.
  • Something they are, like a fingerprint or voice print. (This is also called biometric security).

Advanced Endpoint Detection & Response (EDR)

Advanced EDR is an integrated security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis. An “endpoint” is defined as any network end node, such as a mobile device, a computer or even a printer. If it is network connected and it is not the primary server that drives the network, it is an endpoint and must be monitored.

Some companies claim to offer this service, but they may call it “endpoint detection” or “endpoint detection and notification” (both of which mean you should get an email or some other notice). This means they will respond to the threat and attempt to resolve it, but your endpoints might not be monitored 24/7/365 like they are by IT Solutions).

One of our cyber insurance partners, Johnson, Kendall & Johnson has produced an excellent article on cybersecurity best practices and insurability requirements. We think you will find it a valuable addition to the insights provided here.

One final bit of advice to consider. According to a report published this month, cyber risks caused by technology adopted during the pandemic were responsible for 74% of attacks on 94% of businesses over the past year. IT Solutions provides complimentary “security checkups” to help you determine whether your technology is endangering your firm. To request a consultation or learn more, call 866-PICK-ITS.

Have Questions?

We’ve got answers — fast, clear, and tailored to your needs. Let’s talk tech.