COVID-19 has changed our world in many ways, and the Wall Street Journal reports that due to the heightened security risk from the increased remote workforce, commercial insurers are taking a closer look at their policyholders and new applicants for cyber coverage.
What does this entail? Insurers want to know what controls are in place to prevent common attacks, and how/how often the controls are being tested. How would the organization know if they were being attacked or had been breached? What resources do they have in place to respond to attacks?
What happens if the insurer doesn’t like your answers? If you are an existing customer, you will likely be put into a high risk group and see your rates increase. They may also apply additional exclusions to your cyber coverage. If you are applying to add new coverage, your application could be denied completely.
The insurers have reason for concern. Workers on equipment that is not controlled by the business’s IT team may not have the same level of controls to reduce risk of data exposure and malware. Loss rations for insurers increased from 34% in 2018 to 47% in 2019, and this additional scrutiny is a proactive step by the industry to mitigate loss for 2020.
What can you do? Be proactive yourself and make sure you can show that you have considered where you are at risk based on the data you need to protect and how your network has been set up, especially as relates to remote workers. Have proof of vulnerability scans and penetration testing, phishing to test staff cyber awareness, and your ability to detect and respond to threats. Consider a 24/7 breach service that can help validate if an incident needs to be reported to your commercial insurer to avoid unnecessary claims that can drive up your rates and make you pay for the investigation from your deductible.