Derek Symer
Derek S. Symer, CPCU, is a partner at AHT Insurance in Leesburg, Virginia, and a member of ASAE’s Finance and Business Operations Professionals Advisory Council.
After close to 18 months of remote work and more cyberattacks, cyber insurers are making adjustments. Associations can expect to pay premiums as much as 80 percent higher and to face more stringent cybersecurity requirements. Because of this, it’s important to shop around for the best policy.
Over the past 18 to 24 months, as remote work rose because of the pandemic, there has been an explosion in both the number of ransomware events, where cyber attackers lock user systems until a ransom is paid, and an increase in the average individual ransom payments. These factors combined have required insurance carriers to pay out an unprecedented amount of money in claims to fulfill extortion demands of cyber criminals.
Unfortunately, many associations have felt the sting of a ransomware event. The large ransom payment payouts and the costs to unencrypt data and to help policyholders restore and improve their IT systems has put tremendous pressure on underwriters of cyber insurance. Insurers are looking to shore up their books and tighten criteria to limit the future financial exposure of additional ransomware activity. To make matters worse, the trend lines are only continuing to increase.
The cost to provide cybersecurity insurance that includes coverage for cyber extortion has ballooned so much that carriers and underwriters are rapidly revising their business models, and that means they are exploring three main options: significantly increasing the cybersecurity hygiene requirements of their clients, drastically increasing cyber insurance premiums, or exiting the cybersecurity insurance market altogether.
[Associations] are finding premiums rising as much as 50 to 80 percent year-over-year, discovering that their carrier of choice isn’t offering a cyber policy anymore, or learning they must attest to implementing high-level cybersecurity technologies and policies, such as multifactor authentication.
As insurance companies take these actions, organizations suddenly find themselves in a new landscape as they shop for a new cyber policy or go to renew an existing one. They are finding premiums rising as much as 50 to 80 percent year-over-year, discovering that their carrier of choice isn’t offering a cyber policy anymore, or learning they must attest to implementing high-level cybersecurity technologies and policies, such as multifactor authentication.
Here are some tips for associations looking to obtain or renew cybersecurity coverage in this new environment:
Budget for higher premiums. Increasing premiums are going to be part of the equation of all insurance carriers. Organizations can help take the sting out of these increases by budgeting for at least a 50 percent increase in their cyber insurance premiums year-over-year for the foreseeable future. Hopefully, renewals in 2022, 2023, and beyond come in below this budgeted amount, but you’d rather have the budget and not need it than need it and not have it.
Implement new cyber requirements. Talking with your IT team, work to quickly implement the cyber requirements that you can reasonably implement. Beyond helping to qualify for cyber insurance and possibly lowering your high premiums, these requirements will generally also make your organization safer and better protected from cybercrime.
Don’t attest to items your IT team says you can’t meet. Sit down with your IT team and review the attestations and requirements line by line and get an honest, candid answer about which requirements you currently meet, which ones you can meet with a little work, and which ones are out of reach within this time period. Answer the attestations honestly, and make sure you continue to follow the practices during the policy period.
While the insurance carrier will take you at your word during the application process, should you ever file a claim, they will rigorously test those controls you claimed to be following. If they determine that you aren’t actually doing all of the cybersecurity practices that you attested to, that could allow them to deny your claim. In fact, attesting to items you aren’t actually living up to only increases your risk.
Shop around for carriers. With this volatile insurance market and the cybersecurity hygiene requirements being rapidly rewritten, you will find different carriers with wildly different approaches, premiums, coverage amounts, and conditions. While several carriers have rapidly introduced stringent, supplemental underwriting applications, others are taking a more measured approach. Now more than ever, it pays to shop many carriers to find the one that offers a policy that best meshes with that your organization is already doing regarding cybersecurity and with a premium you can afford. Start the renewal process early and work with your broker through the process to achieve the best outcome for your association.