Insurers make money by assuming the business risks of their clients for a fee. They only make a profit if the estimated aggregate cost of risk for all of their clients is less than the aggregate cost of assuming the risk. Businesses looking for cyber insurance face technology-based security threats. It is therefore essential that insurers understand the technology to make sound underwriting decisions. The problem is, insurers have always lagged behind their financial services counterparts in understanding advanced technology enablers. Many have no idea how to assess the financial, reputational and regulatory risks they face and prefer to walk away.
Insurun has compiled a list of the top reasons insurers refuse cyber insurance based on the more than 100 companies we’ve helped get coverage. Let’s take a look at the top four reasons insurers deny cyber coverage claims.
The requester allows its employees to bring and use their personal computer to work (BYOD). BYOD has become a widely accepted business practice as companies like IBM, Citrix, and SAP have all built products around using and securing BYOD. However, like other business enablers, BYOD is only a security weakness in the absence of a cybersecurity policy that governs its acceptable use and configuration.
The applicant has end-of-life (EOL) systems. Okay, a lot of companies have EOL systems. There is nothing wrong with companies that have old systems that they intend to replace. On the contrary, investment bankers and venture capitalists tend to view companies that are actively retiring their legacy systems as forward-thinking and innovators. EOL security issues arise when a company does not have an EOL retirement schedule, or EOLs use older technologies that are more vulnerable to threats, or both.
Applicant’s network security controls are too “low” in maturity to process credit card information for many customers. Apart from its sophomoric formulation, this ground for refusal provides the strongest indication of the insurer’s misunderstanding of the most fundamental cybersecurity concepts. First, the HHS cybersecurity maturity model has levels ranging from “initial” to “optimize”. Low is not one of them. Second, owning PII is a matter of data security, not network security. Third and most blatantly, this finding implies that the requester is “processing” the payment card data when in fact they are using a third party like Stripe for this purpose. At no point in this process, payment card information captured by Stripe is stored or processed by the requester. Even if he could somehow find a way to capture this information, it would be pointless as it was already encrypted at the point of sale.
The requester uses a third-party cloud service provider. While it’s true that businesses don’t have a traditional border network these days, they most certainly do have a virtual network. VPN technology has allowed networks to expand beyond conventional borders and into homes, third-party service providers and customers. But be careful. While AWS, Microsoft, or Google can handle important “stuff”, they don’t secure it and can’t be trusted to do it right away. AWS offers only rudimentary physical security and failover capabilities as part of its shared responsibility model. Everything else is up to the applicant.
The challenge here is twofold. Insurers make underwriting decisions based on technologies they don’t fully understand, while applicants don’t fully understand cybersecurity executives. Therefore, applicants cannot apply them to their IT infrastructures. The solution would be a method by which applicants can prove to insurers that their cybersecurity posture meets the security screening requirements of one or more widely accepted standards. This requires the candidate to engage a qualified and impartial third party to perform a detailed examination of their cybersecurity posture with respect to frameworks such as NIST 800-171 – “Protecting Unclassified Information in Nonfederal Information Systems and Organizations”.
After the review, the third party provides the applicant with a security “clearance” report that interested parties such as regulators, banks, and insurers review and then make better, more accurate, and more objective underwriting decisions.
Cybersecurity applicants are likely to face more, not less, pressure from third parties to prove that they adhere to cybersecurity practices, making ongoing cybersecurity and cybersecurity attestation services essential elements of their activities.
Interested in Carriers?
Receive automatic alerts for this topic.