With the frequency and intelligence of cyberattacks on the rise, companies small and large are now faced with the need for more extensive cybersecurity insurance coverage and additional warranty protections. Cyber criminals are developing more complex and damaging ways to infiltrate private data held beyond company security barriers. “Data loss prevention and cyber management is
With the frequency and intelligence of cyberattacks on the rise, companies small and large are now faced with the need for more extensive cybersecurity insurance coverage and additional warranty protections.
Cyber criminals are developing more complex and damaging ways to infiltrate private data held beyond company security barriers.
“Data loss prevention and cyber management is three parts: confidentiality, integrity and availability,” said Justin Musil, shareholder and attorney at Milwaukee-based Reinhart Boerner Van Deuren.
[caption id="attachment_599076" align="alignnone" width="300"] Musil[/caption]
The “CIA triad” is the model Musil and many others in the field use to define the goals of cybersecurity. Confidentiality refers to securing information systems and the sensitive data they house against breaches and cyberattacks. Integrity protects the reliability and correctness of systems and data. Availability ensures authorized users have timely and uninterrupted access to systems and data, according to Musil.
Musil has seen his work transition from primarily patient health information cases to entirely cybersecurity focused as the issue becomes more pressing and the need for cybersecurity legal counsel grows.
He now is often retained by company representatives as a mediator to ensure that insurance brokers offer appropriate coverage based on the needs of the business.
While the ransoms and insurance payouts continue to grow, insurance premiums are down about 15% from 2022 to 2024, according to a report from London-based insurance intermediary Howden. However, the declines come after a significant ramp-up in pricing from late 2020 to 2022. The increases came amidst “a rapidly deteriorating loss environment, highly constrained insurance capacity, rising demand globally and a major (perhaps overexaggerated) pricing correction,” according to the report.
“Pricing is now falling, competitive forces are yielding more tailored underwriting decision-making that reflects companies’ risk profiles,” the report says.
Just as cyber management has three parts, so too does cyber insurance: coverage, security tools and warranties, according to Paul Riedl Jr., chief executive officer of Milwaukee-based River Run. The managed service provider works as an outsourced IT department for small and mid-sized companies in southeastern Wisconsin.
“Please hear one thing, you have to have all three: insurance (coverage), security tools, and a warranty,” said Riedl.
Coverage
“I think something that most companies have to understand first is where their data is and where their services are located,” said Riedl.
[caption id="attachment_599077" align="alignnone" width="300"] Riedl[/caption]
Having that information is an important part of securing cybersecurity insurance coverage.
Deciding on the extent of coverage is different for every business. Typically, insurance providers ask insurance-seeking clients to complete a questionnaire on protections a company already has installed.
Questionnaires vary based on provider and business size but most cover similar topics pertaining to various cybersecurity aspects of the business, such as incident response plans, security and email management, employee training, data back-up and recovery.
“Different companies are using different (questionnaires), so our clients are kind of pulling their hair out trying to figure out which question they’re supposed to be answering,” said Riedl.
Ideally, all insurance companies will start using a standardized questionnaire to streamline the insurance coverage process, said Riedl. This, in turn, could lower costs for insured companies because there would be set industry standards and better practice methods, Riedl added.
Security tools
Security tools like firewalls, encryption and multi-factor authentication are among several protections listed on cybersecurity insurance questionnaires.
“There’s a specialized tool watching my workstation, watching my Microsoft 365 account, watching my emails going back and forth,” said Riedl.
To ensure proper coverage and liability awareness, companies are asked to disclose which software and hardware tool it uses to maintain security over its data. An insurance broker and an IT department, internal or outsourced, will determine insurance coverage, rates and deductibles accordingly.
Warranties
A new development in cybersecurity insurance is the inclusion of middle-man coverage and warranties for managed service providers and the companies they represent. These warranties can cover the gaps in insurance policies and deductibles from insurance providers when a data
breach occurs.
Boston-based Cork is a cyber-risk insight platform designed to evaluate risks in a company’s cybersecurity management and offer warranties to fill any gaps in insurance coverage. Founded in 2023 as the first of its industry, Cork offers supplemental cybersecurity insurance coverage without the use of questionnaires that insurance providers distribute.
Small and large companies alike
Dave Stamm, chief executive officer of Milwaukee-based Stamm Technologies, emphasized the need for all companies to be covered heading into 2025.
[caption id="attachment_599075" align="alignnone" width="300"] Stamm[/caption]
“Small companies, who sometimes don’t believe they need the coverage that a larger company would pay for, are affected because of the trickle down of the same software usage,” he said.
A decade ago, ransoms were “cheap” ranging anywhere from $500 to $3,000, Stamm said. Today, ransoms are starting at $200,000 to $300,000 and can surpass $1 million dollars depending on the size of the company and the breach.
That is why all companies need at least $1 million worth of cybersecurity insurance coverage, he said.
Insurance companies are now paying out larger sums of money to cover an influx of attacks. As a result, insurance providers are becoming more stringent on coverage before sending an offer to insurance recipients to ensure that they have the necessary cybersecurity tools to recover from an attack.
“Everyone needs coverage,” said Stamm.
However, there is a gap in coverage. Globally, just 21% of companies with less than 250 employees have cyber insurance, according to the Howden report, compared to 85% among large companies with more than 100,000 employees.