Significant rate increases are quickly becoming the norm in the US cyber insurance market. With the frequency and severity of ransomware incidents hitting record heights in recent years, insurers have reacted by seeking more rate and shoring up their underwriting guidelines in order to control their costs and protect their books. Some have even started sub-limiting ransomware and applying co-insurance provisions, forcing insureds to share more of the risk.
Find out more: Learn everything you need to know about Crum & Forster here
Rather than enforcing sweeping rate increases across entire portfolios and issuing blanket statements around ransomware underwriting guidelines, Nick Economidis (pictured), vice president, eRisk at Crum & Forster, suggests a more supportive approach through which insurers should help customers to improve their cyber security posture and mitigate their exposure to ransomware through effective risk management.
“It all comes down to having the right controls in place,” said Economidis. “One tool we like to work with at Crum & Forster is something we call the ‘Quality Curve’. On one end of this hypothetical bell curve are the top 20% of risks (those with the best controls and the fewest losses) and on the other end are the worst 20% of risks (those with poor controls and the most losses). Most companies are somewhere in the middle.
“If companies want to brunt what’s happening in the cyber insurance market, they need to have best-in-class controls, and they need to do everything they can to demonstrate their risk management practices. Even if they can’t move from average to superior on the bell curve, if they can just get from average to above average, then they’ll likely see better rates, they’ll get more insurers quoting their business, and they’ll get better terms.”
What happened in the January 01, 2021, cyber renewals was that a number of major cyber insurers announced changes to their underwriting criteria, but they did not necessarily provide policyholders and prospective clientele with a clear path of what they need to do in order to get the best terms. That’s an area where the industry as a whole can improve, according to Economidis, in giving insureds ways to shore up their risk profiles in return for more favorable rates and terms.
Many of the strategies and tools that companies can use to improve their cyber security posture are relatively easy and simple to deploy. For example, companies can secure their remote desktop protocol (RDP) by requiring multi-factor authentication (MFA) for all remote access. Removing administrative privileges from computer workstations is another good tactic. That means a user cannot install software without a computer administrator entering an administrative password.
“We also encourage insureds to enable administrative audit and mailbox audit logging on their email servers,” Economidis added. “While that doesn’t actually prevent a hacker from compromising the server, it does make it a lot easier and less expensive to carry out forensics to identify what the bad actor did and how deep their intrusion was. Insureds should also be considering the implementation of an end-point detection and response (EDR) system. That’s a bigger investment and a more substantial undertaking, but EDR tools can really help to protect people.”
These cyber risk mitigation tools are on the conversation docket for every good cyber insurer, broker and agent, but there are still challenges to overcome in getting insureds to actually make the investments. Many companies have conflicting priorities, where they’re trying to enhance their IT systems so they can operate more efficiently, while also improving the security of their systems. They only have so much time, so much budget, and so many hands to make these changes – and they’re up against a cyber risk landscape that is constantly changing as hackers evolve their tactics to find new exploits.
“One thing that brokers have sometimes struggled with in the past is articulating what the rate savings will be if companies engage in effective risk management,” said Economidis. “They can say: ‘If you do X, Y and Z, we think we can get you a better price in the market,’ but it’s been difficult for them to say, except in very general terms, what the savings will be.
“At Crum & Forster, we’re keen to offer policyholders and prospective clients two quotes. The first quote is priced depending on how the company presented itself in its application. That’s what most insurers do. But we then go a step further and we’ll offer them a second quote, which says: ‘If you’re willing to implement these things, which are relatively easy and simple to deploy, we’ll give you a significant price reduction.’ I really think insurers have an obligation to help customers avoid large rate increases by putting the right controls in place and encouraging best-practice cyber risk mitigation.”