Why it's harder than ever to get coverage, keep your coverage, and get your claims paid.
Are you cyber-insurable? Watch this essential webinar on cybersecurity insurance, led by Robyn Howes, President of Certified NETS, Inc. In this session, you'll learn why securing cybersecurity coverage has become increasingly difficult, how to maintain your coverage, and what steps to take to ensure your claims are paid. We'll also discuss best practices for understanding and improving your security posture to protect your business.
- Who is this webinar for? CEO's that care about cybersecurity
- Who is presenting? Robyn Howes, President of Certified NETS, Inc. in St. Louis, MO
- What do we cover in this webinar? Why it's harder than ever to get cybersecurity insurance coverage, to keep your coverage, and to get your claims paid.
- Why is it important? Recent changes jeopardize our abilities to have a claim paid. The same activities that allow us to get paid also help prevent us from needing to make a claim.
- What you'll learn: Best practices to know your security posture and next steps to continuously improve your security posture
Watch the Webinar
Transcript: Are You Cyber-Insurable?
This webinar topic will provide you with information that could potentially save your business from being decimated by either failure to obtain cyber insurance coverage or just as bad, failure to have a claim paid in the event that you're struck by a major cyber attack.
The cyber insurance market is undergoing radical changes.
And those changes are making it harder than ever to get coverage to keep your coverage and actually get your claims paid in the event that you have to file them.
At Certified NETS, we specialize in helping businesses like yours make the most out of today's ever evolving technologies. We help ensure that your use of that technology is safe and secure, and that's particularly important for today's topic. We also help ensure that your use of technology complies with requirements that are made by the folks that are in a position to create those requirements.
Who sets requirements for the safe and secure use of technology?
Regulatory Agencies
So normally when we talk about people who set requirements we're talking about regulatory agencies, so normally we'd be talking about things like HIPAA for healthcare or we'd be talking about PCI for credit card processing or FTC safeguards for financial advisors.
Cyber Insurance Companies
But today, we're not going to talk about regulatory agencies. Today, we're going to talk about another group of people that help create and shape those standards. And those people also require that we comply with those standards. And those people are insurance companies specifically.
We're going to talk about cyber insurance companies and we need that cyber insurance just in case we get hit by ransomware or a different kind of cyber attack that potentially paralyzes our business and can potentially cost tons of money.
Safety Standards Change Over Time
Car Safety Illustrates This Point
So I thought I would kick things off just by telling a little story that underscores the central role that insurance companies play in driving our safety standards. So I'm not sure if anybody on this call is old enough to remember this scene where Once Upon a time our parents just put a bunch of kids in the back of a station wagon before we hit the road.
Car Safety Standards Used to Be Lax or Non-Existent
There were no safety belts, no airbags, no child seats, just a bunch of wild kids in the way back, giving each other nuggies in the back of the station wagon.
And if mom or Dad hit the brakes just a little bit too hard. Ohh well, we went flying, so obviously in those days, not only could kids potentially get hurt by not wearing seatbelts or airbags, but in general fatalities and severe injuries from car accidents were much more prevalent than they are today.
And so, of course it made sense to add safety features to our cars.
Insurance Companies Fought to Add Safety Features to Our Cars
But there was a lot of public resistance to changing these laws, and the automakers in particular did not want to add these security features because of the added cost. So who fought for those changes? The insurance companies? So yes, it was actually insurance companies that brought about today's car safety standards, by suing the government.
On the grounds that consistent laws were needed to protect the public, and why did insurance companies do that? Because they were losing a massive amount of money, paying out claims for car related injuries and deaths.
So the fact remains that insurance companies are one of the main reasons that our kids are buckled up and secure when we drive them places.
Insurance Companies Still Create Economic Incentives for Safety Today
And just so you know, insurance company actuaries and underwriters are still creating economic incentives for auto safety today and that is why they want to know the make and model of our car before they give us a quote for car insurance.
It's also why they want to put a monitor in our car to be able to track our driving behavior, because the safer we are as drivers, the less likely we are to get into an accident and the more money the insurance company can save by not having to make a claim and insurance companies hate paying claims.
So safety standards change and insurance companies play a central role in determining those standards because of their own economic interest, and they are not the government but insurance companies still have the power to impose those standards on us. If we do not meet those standards, then we do not get the coverage and if we lose the coverage then we are at risk.
Plus, you might not know this, but insurance companies manage more than 10% of all the capital in the world. They even have the power to drive public policy, and that is why the police will ticket you for failing to comply with what is essentially an auto insurance standard.
Cyber Insurance Companies Will Sue For Non-Compliance
Travelers vs. ICS
Insurance companies will take you to court for non compliance. We can look at an example recently that was brought about by ICS, a company that thought it was fully insured when it got hit by a cyber attack.
But when ICS filed their claim, Travellers, their insurance carrier did a little digging and they found out that while ICS may have been compliant when they first qualified for their cyber insurance policy, later on at the time that ICS was attacked, it turned out that ICS had slipped a little.
So travelers did not just deny their claim, they actually sued ICS for fraud. ICS lawyers knew that ICS could defend itself against that charge, because ICS's failure to maintain compliance, along with its decision to file a claim under a policy which required them to maintain that compliance, did in fact constitute a type of fraud. Insurance companies are very powerful and they're not playing around when it comes to compliance with their underwriting standards.
Agenda: 5 Things We’ll Cover About Cyber Insurance
OK, so with that introduction and that setting of the stage, let's move on to today's agenda. Basically, I'm going to cover 5 pieces of information with you.
- First, we're going to review the critical importance of cyber insurance just in case. You might think that cyber insurance isn't something that you should be concerned about.
- Next we're going to go over just a quick snapshot of some of the radical changes in cyber insurance recently.
- We're going to get a crash course in the new, more stringent standards that insurance companies are requiring their policyholders to comply with. And if those policyholders want to get insured, stay insured, and get paid for their claims, they need to comply with these policies.
- We're going to look at a simple action plan that you can take to make sure your business is properly insured. Since that insurance is so essential for managing business risk.
- And finally, we're going to review a special offer.
That I think is terrific for companies in your position given the high risk that we face for cyber attacks and the related risk that we face from insurance companies that don't want to cover us unless we meet their extremely high standards for cyber safety.
1. Is Cyber Insurance Necessary?
So first is cyber insurance necessary? The simple answer is yes, we all need cyber insurance because cyber insurance is a key component of any organization strategy for managing business risk. We can try to be as safe as we want.
And as you all know, I encourage everyone to be very rigorous when it comes to cybersecurity, but there's still a chance that we will suffer a cyber attack.
So even if we do an hour of cardio every day, and even if we only eat organic food, we still need health insurance even if we drive very safely, we still need car insurance. So insurance is our protection against potential and intolerable financial impact just in case something goes wrong, despite our very best efforts.
You probably don't leave your front door unlocked. You may have a magnificent home security system, but you probably still insure your home against theft as a matter of last resort. At least that's what insurance is for. That's its value. That's why we have it if we're smart.
Being Small Does Not Protect You From a Cyber Attack
So I'm not one to engage in scare tactics when it comes to this topic, but the reality is that anyone can get hit by a cyber attack at any time. Being small does not mean that or safe, and being careful does not mean that we're 100% immune. Unfortunately, there is better than a 50/50 chance that we'll experience something this year. The impact of what we experience may not be significant enough to warrant filing a claim, but we never know. Then again, we may need to.
This number speaks for itself. The likelihood of you successfully surviving a cyber attack goes way down if you don't have cyber insurance.
And cyber insurance is not something you can just decide to get or not get based on your own personal tolerance for risk, your customers and your suppliers want you to be insured as well, because if you are not insured, you are by definition a bad business risk for them.
This is especially true if you're a small business and you have large customers that adhere to true best practices for corporate risk management.
Plus, you may be subject to regulations that actually require you to carry cyber insurance. This is like the cop giving you the ticket for not wearing the seat belt that the insurance company wants you to wear. It's the government saying we will enforce the standards that the insurance companies have told us are reasonable to impose.
Umbrella Policies & Key Employee Insurance Coverage Do Not Cover Cyber
And we also cannot assume that we have cyber insurance coverage just because we have a very good umbrella policy with our insurance carrier. Cyber insurance policies are a whole different category of coverage and oftentimes the carrier that we use for hazard insurance and auto.
Key employee coverage does not even carry cyber insurance. You may have to use an entirely different insurance carrier to get cyber security insurance.
OK, so now that we covered the need for cyber insurance, we're going to move on to that quick market snapshot that I promised.
2. Cybersecurity Insurance Market Snapshot
So cyber insurance carriers started to experience a financial hit toward the end of the 20 teens and into 2020. They were under charging for premiums and not imposing rigorous standards on their policyholders, so they wound up paying numerous big claims and some of them had loss ratios of more than 100%, which meant they were losing money hand over fist.
So what did they do?
Obviously they increased premiums… and by a lot. They increase premiums or decrease coverage, and by a lot. So compared to when we could spend a dollar to get $100 worth of coverage in 2016, today we can spend $1.48 and get about $69.00 worth of coverage.
Compared to when we could spend a dollar to get $100 worth of coverage in 2016, today we can spend $1.48 and get about $69.00 worth of cyber-insurance coverage.
But even more critically, the insurance companies have gotten very serious about their standards, so they're going to give you a checklist where you have to do a much longer number of tasks and a more detailed list of criteria than they used to provide just a few short years ago. I'll go into more detail about what those standards are in just a minute. But the key point is we are paying more for less and compliance is a huge burden.
And this strategy is working for the insurance companies. At least it's working for them in terms of profit. Their profitability is up 45%, and that is good for us in a way because that increased profitability means that there's more carriers in the market and there's an increase in competition.
But while that competition may bring prices down a little bit, it is not going to change the trend towards increasingly more stringent underwriting standards. That ship has sailed and will continue to sail.
So that was your 3 minute economic lesson. And now let's talk about what these changes mean for you personally.
3. Cybersecurity Underwriting Standards Are Increasingly Stringent
So as I said before, we are going to be paying more and getting less, but those numbers are always going to go up and down with market forces. What is not going to change is the issue with compliance for insurance companies.
So there is going to be an ever increasing strong underwriting set of requirements. And what I want to focus on with our time remaining are those standards.
We're going to look at basically three different areas that these standards have changed and how they impact you.
It’s More Difficult to Qualify for Coverage
So first, in order to qualify for coverage, it is now much more difficult. Insurance companies have now a tough set of instructions and requirements. If we thought it was hard working with building inspectors to get new building permits for new construction, that is nothing compared to how difficult it is now to get cyber security insurance the first time.
It’s More Difficult to Renew Cybersecurity Coverage
Even once we qualify, it is harder to renew, so we cannot take those renewals for granted. We are not going to be grandfathered in or given a pass just because we've been a good customer. If we do not continue to up our game, we'll be denied those renewals. And then we're like a first time buyer all over again.
You Need to Work Hard to Qualify for the Best Rates
And thirdly, we have to work very hard to qualify for the best rates. So just like safer drivers and safer cars get lower rates and homes in flood or fire zones get higher rates.
We have to have the same thing in mind when it comes to our business, insurance and budgeting for it over the long haul.
So the bottom line is, it's harder to get cybersecurity insurance, and harder to keep, but we need it and we're going to have to jump through hoops to get it.
Filing a Cybersecurity Claim Invites More Scrutiny Than Before
Alright, so those are the impacts on our business on the buy side. But when we think about filing a claim, we also have implications.
So there's going to be more scrutiny when we need to file a claim. Also, we have to have our Act 100% together or at least 93.5% together. There is a higher likelihood that our claim will be denied.
And the real kicker is it's even possible that our insurance company will pay our claim and then come after us legally after the fact if they come across any evidence whatsoever that you are not fully compliant with the terms of the coverage at the time of the incident. So unfortunately, they can do this.
So you don't just have to be diligent about compliance to get your policy. We have to now be really serious about staying compliant every single day that we're under our carrier’s coverage and that's a whole second dimension of diligence. The first dimension of diligence is making a potential insurer happy so that we get the coverage. But the second dimension is how much more diligent we have to be to keep them happy day after day, month after month, quarter after quarter and year after year.
Back to the ICS vs.Traveler’s Lawsuit
So let's go back to what happened with ICS when they filed their claim with travelers. We don't know if ICS fell out of compliance the day after they renewed their policy or the minute before they had their attack. So we don't know if they were out of compliance for six months or if they slipped.
They're even just one minute, but the fact the fact is that at some point they did slip, and that is really all that matters.
Compliance success. How do we get there?
So what are we talking about here? I've mentioned a lot about underwriting standards and about compliance requirements and the stuff you have to do to get insurance and keep insurance and to make sure your claims get paid. But what does compliance actually mean?
And what does success look like? Compliance success. How do we get there?
So first, let's clarify some definition standards describe what insurance companies expect you to do, and when. I talk about underwriting standards for cyber insurance, I'm talking about lots of controls and processes that you have to implement to keep bad guys out and to protect your company's personal information and to avoid any kind of insider malfeasance. So this is stuff like:
- Firewalls
- Multi factor authentication, which is what ICS had trouble with
- Personal information protection
- Data encryption
- Malware protection and antivirus
- Data backups, but not just making sure that our backups are working, making sure they're tested for recovery and these days we even may have to prove that we tested them for recovery.
- Incident recovery plan, which is basically our way of making sure that we're taking steps to minimize the impact of any potential cyber attack that hits our company.
- Employee training: We have to train our employees to comply with the policies regarding data access and data protection and not clicking on spamming emails so they don't let the wolf in.
- Strong password requirements: We need to make sure everybody is using strong, unguessable passwords, which can be harder than it sounds, and we also have to require that they change those passwords regularly.
- Separation of responsibilities, which basically means no one person has the keys to the Kingdom.
- Employee off boarding, which is making sure that we immediately and completely deactivate employee access privileges as soon as they leave our company and become ex employees. Another policy that's easier said than done.
- Periodic third party “pen testing” (penetration testing), which I'm definitely going to be talking more about because this is the foundational key to this whole insurance puzzle.
So this is a 60 second overview of the actual material requirements that insurance companies will specify in their underwriting standards, which again is the stuff that they want you to do.
So these are the standards.
So now what is compliance?
Compliance is basically doing those things that the insurance company wants you to do. Pretty simple. It doesn't mean that achieving compliance is simple, it just means that the relationship between them wanting you to do something and you doing something so that you're in compliance.
That concept is simple.
But as you can see, when you look at this list of requirements being in compliance can be a very heavy lift.
So here's the thing.
Being compliant isn't enough on its own.
Compliance just by itself is absolutely insufficient for what we call compliance success, because if you want to be successful, if you want to qualify for cyber insurance, if you want to qualify for the renewal, if you want to have a high degree of confidence that your claims that you file will be paid, if you want to have a high degree of confidence that you won't get sued by your insurance company for attempting to file a claim under false pretenses… If you want all of that, then what you have to do is more than just being compliant.
You have to be able to show compliance.
You have to prove it and it has to stand up to an audit. You have to have documentation and reports and records to prove that you did what you were required to do, and you have to be able to prove this to someone who is actually intent on finding some little gotcha so that they can show that no, you weren't in compliance in this area or that area.
So real compliance success is about rock solid documentation.
Again, let's go back to the lesson from ICS. It did not matter what ICS did, it mattered what ICS could prove.
Periodic Pen Testing is Central to Cybersecurity Insurance
So This is why I believe that periodic third party pen testing is so central to cyber insurance these days. Today's company regulatory agencies require third party pen testing. It's a given.
But the real reason they're requiring it is because it's such a great way to empirically verify that you're in compliance.
It's a test or an assessment or a compliance exam or whatever you want to call it, but it's a test from an independent third party.
So it's not you saying that you're compliant.
It's not me as your compliance as a service provider saying that you're compliant, either, it's someone else, it's someone with no skin in the game, kind of like the lab, or the doctor sends your blood work for blood testing or the mechanic that you go to for a second opinion on a used car before you buy it.
Periodic third party pen testing is how you verify ongoing compliance.
So if you take nothing else away from this webinar, Please remember that periodic third party pen testing is how you verify ongoing compliance. It's how you proactively discover if you're falling short anywhere in your compliance efforts, and it's how you find those problems before your cyber insurance carrier does, and it's how you can prove that you found them and that they're fixed.
So periodic third party testing is the core of due diligence when it comes to compliance with cyber insurance carriers, underwriting standards or any regulatory mandates regarding your use of technology. No matter how stringent or lax those standards are.
And once upon a time, companies like yours might have actually been allowed to assess themselves.
But those days are gone, and once upon a time it might have been OK for a “compliance as a service provider” like myself to perform those compliance assessments and write up a detailed report analyzing those assessments, but that is no good anymore, so I can help you to achieve compliance if you decide you want to do business with us. But we're not going to do those assessments.
So rather we're going to connect you with a reputable company that performs those assessments independently, and that's how you're going to find out where your compliance problems are, and it shows that we're going to be able to work with you to independently, credibly and convincingly verify that you found and fixed those problems.
4. Action Plan: How to Prove Compliance & Qualify for Cyber Insurance
So now let's talk about a simple action plan. What can we do now to meet and overcome these challenges presented to us by the new rules of cyber insurance? Well, we obviously need to learn what those new rules are.
First, you need to understand the requirements.
What does your current cybersecurity provider require?
Do they use standard cybersecurity insurability frameworks like the NIST framework, or have they added their own bells and whistles so we need to understand what those standards are that they require?
Second, we need to fulfill those standards, and I can help you with that.
So the good thing is, we are already accustomed to performing this role, so we have expertise in this area. We don't need to reinvent the wheel. We also have work product that you can leverage so that it's easier to get compliant and it's more cost effective. I have policies and plain language that everyone can understand.
And we have training available for end users and we know what technical controls to put in place to ensure that you can put a check mark in all of the boxes of what your insurance company requires.
Third, you need to be doing quarterly pen testing.
We're also going to test quarterly against your insurers requirements by an independent third party.
So if we look back at what we learned from ICS, it wasn't the problem. The problem was not that they dropped the ball on multi factor authentication. Rather it was that they didn't even know that they dropped the ball at all. If they had done a test, if they had found out for themselves, if they knew where their gaps in their coverage were, then they could have gotten paid on their claim, but they didn't do the test and instead they got blindsided.
So these items: learning, fulfilling and testing quarterly are the action items that we need to do to know the standards.
This is what we need to do to ensure our insurability.
Make sure you have the right coverage.
On the transactional side, we also have three things that we need to do from an action plan standpoint. So one, we need to make sure that we have the right coverage. So most companies are actually under insured when it comes to cyber attacks and that's because a lot of coverage only addresses removal and recovery of cyber issues. They don't insure you against:
- The financial impact potentially of being out of commission
- Losing revenue
- Losing customers
- Potentially being sued for failing to meet a delivery commitment
We have a white paper that is terrific for CFO's that covers this topic in depth, if that's interesting for you.
Shop around and negotiate cyber-insurance pricing.
In addition, for the right coverage, we have to also make sure that we are paying the right price, so we need to shop and negotiate. And again, when we're shopping, it's going to be helpful to make sure that you run a tight ship and be able to show that.
Read the fine print.
Lastly, we need to read the fine print, so you want to make absolutely sure that we are fulfilling every dot and title of your carriers, underwriting requirements. And here again I am happy to help.
5. Special Offer
So now let's talk about that special offer that I mentioned at the beginning and we actually have two special offers. So one of them is what I just alluded to. And so for everybody that's on the call currently.
I am happy to review your current cybersecurity insurance, or one that you may be considering. We can look at the conditions and the policy to make sure that there is nothing glaring to see if there are any concerns in terms of how you're currently complying with those requirements and if there's any potential gotchas and I can do that for everybody on this call.
The second offer is one where I can only provide it for seven people. It is highly valuable and it is offered by our independent compliance provider. So the independent compliance provider that we work with really likes what we're doing and is committed to helping Certified NETS strengthen our position as a “compliance as a service” market leader. So I can offer a free initial trial assessment assessment for seven of you.
This assessment is just a diagnostic of your current compliance posture. It's easy and it's secure, and the information that you get from the assessment will be useful for you as you pursue your quest for cyber insurance protection at the best price.
And once you get the first assessment, I think you'll understand more clearly why this is something you want to do quarterly, not just for your compliance efforts.
But for your ongoing cybersecurity work so that you are on track and stay safe even as you add more computers, more applications, more employees, and whatever else is changing in your ever evolving business.
And cyber insurance requires these tests.
So if you're interested in this offer, just pop me an e-mail. Please be sure that you're ready to have this outside party. They're called Galactic, by the way, and they're terrific.
So we just need to make sure that you're ready to perform this assessment within the next 30 days, because this is a limited time offer that they have been good enough to provide to you through us to support our current efforts which include this webinar and then that policy review that I mentioned earlier.
All right, that's it. We're done. I thank you for your time. I hope everybody learned something and I'm open to feedback as we continue to do these webinars and please don't hesitate to act on the things that we covered today. And if you're interested, shoot me an e-mail and we can talk about that third party penetration testing thatInitial trial. Even if you need to digest this information, you're not ready to sign up right away.Don't hesitate to give me a call. Cyber insurance is really important and it can be such a pain and we want to help you reduce that pain and maximize the gain, so feel free to pop me an e-mail and we'll keep it simple. Thanks again. Have a great rest of your day.