Cyber liability insurance is only becoming more necessary for commercial clients, but if they don’t have the right risk mitigation practices in place, they may have difficulty finding coverage.
The COVID-19 pandemic transformed the way the world works today, dramatically increasing our reliance on information technology. Today, and into the future, every business will become somewhat digital-dependent and will require a cyber liability insurance policy.
As a result, the global cybersecurity insurance market is projected to grow from $11.9 billion in 2022 to $33.3 billion by 2027, according to the 2023 Munich Re report “Cyber Insurance: Risks and Trends 2023," which makes it “the fastest-growing property & casualty line," says Adam Glaude, director of small commercial product solutions at Liberty Mutual.
For a risk that can be considered both an evolving and moving target, agents must play a role in ensuring their clients are prepared with the relevant safeguards to not only protect their business but qualify for coverage.
As the global average data breach costs increase, with 2023 setting an all-time record high reaching $4.45 million, up 15.3% from 2020, according to IBM's “Cost of a Data Breach" report, here are the four most common risk mitigation safeguards that clients can implement to ensure they qualify for cyber coverage:
1) Multifactor authentication (MFA). “Oftentimes the criterion today is whether or not you've enabled MFA on critical business systems," says Shawn Ram, head of insurance at Coalition Inc. “It's like the insurance industry's belief about wearing a seatbelt—if you're going to drive a car, a seatbelt gives you the protection you need to avoid more severe claims."
When it comes to implementing MFA, “it needs to not just be implemented or enabled, it needs to be enforced," says Kirsten Mickelson, cyber product group leader, Gallagher Bassett. “And that's a two-step process—one is implementing or enabling the MFA feature, the second is enforcing it on each end point. Additionally, MFA should be utilized if a client needs to use a VPN or remote desktop protocol (RDP)."
“You can't just have the door closed, you need to lock it with a VPN and MFA to be properly configured," Mickelson says.
Agents can best assist their clients by helping them become more aware of these trends to avoid any issues if a cyberattack does occur.
“Where we found it challenging is when insureds think that they may have MFA in place, they have a loss, and then they realize they actually don't have it in place—that gets into a really gray area with markets," says Derek Kilmer, associate managing director, professional lines broker, Burns & Wilcox. “Independent agents would be able to help facilitate the conversation between the tech companies and the insured to ensure this doesn't occur."
2) Endpoint detection and response (EDR). Having EDR in place secures the network endpoints and sends off a signal to alert of any malicious cyber threats. “What's crucial with EDR is you can't just have it in place," Mickelson says. “You need to implement it, operationalize it, monitor it, and demonstrate that it's working—if it's left unmonitored, it's totally useless."
“Small businesses tend to experience cyberattacks through a 'spray and pray' method, meaning the business is one of hundreds or even thousands that a cybercriminal is attempting to breach through tactics such as phishing campaigns," Glaude says. “Spray and pray cybercriminals tend to move on if they're not able to breach the business on the first attempt: Good cyber hygiene paired with a strategic set of risk mitigation tools greatly increase a business's odds of not falling victim to these campaigns."
3) Dual authentication for wiring funds. “In terms of social engineering best practices, one key feature is to validate the customer," says Steve Ventre, senior vice president, management liability & surety, The Cincinnati Insurance Companies. “For example, customer confirmation via a pre-determined phone number—as the old adage goes: Trust but verify."
As the rise in wire fraud continues, there are “two great ways to prevent it: enforcing MFA on email accounts and having a secondary check when making a payment to a new vendor or when a vendor curiously updates wire information," Mickelson says. “When a payment is due, there's a secondary check where the insured will call the last number on file rather than the number in the email."
4) Data backup. Many carriers are requiring regular backups of data that is also segmented and tested. This ensures that “if a ransomware attack deploys malware and the computer locks down data but you have that data at a different location in a segmented virtual location, which is tested and backed up regularly, then that is okay," Ram says. “If adversaries lock down your data in one place, you have it available in another place."
Agents can highlight to clients the need for both the segregation and segmentation of data. “Segregation is taking your critical information offline or just away from the internet while segmentation is splitting it up into little chunks and then storing it separately again," Mickelson says. “When you do that, it is necessary to carry out data inventory, thereby ensuring the insured and the carrier understands the nature of the data held—how important or sensitive it is."
It can be difficult for businesses, particularly small and midsize ones, to evaluate the risk they face when it comes to cyber liability. “The good news is that a lot of carriers, technology vendors and industry groups offer ongoing training and knowledge sharing," Glaude says.
“Once agents make it through the initial education stages, it's about finding the right resources to maintain that knowledge and ensure they can pass that education along to clients," he adds. “For example, Verizon releases a popular annual report, the Data Breach Investigation Report (DBIR), that can be helpful in keeping up with emerging trends, and the Agents Council for Technology (ACT) offers cyber-specific guides and content with best practices for agents."
Olivia Overman is IA content editor.