Changes to Cyber Insurance Requirements - What you Need to Know

by Jane-Michèle Clark

May 01, 2023

More changes? If you’re like most people, seeing changes to what’s covered, along with the cost of your current cyber insurance policy, you may be wondering if it’s worth the cost. It is, of course, but that doesn’t make the budget hit any less painful.

Insurance company loss ratios have been over 60% consistently for the past five years, causing some insurance underwriters to discontinue the coverage. Others are raising their premiums to compensate.

Globally, premiums increased 94% from 2019 – 2022, and we are certainly seeing similar increases here, at home.

There are two key ways in which this is impacting Canadian organisations.

1. Nation-state attacks are being excluded from many policies.

There has been a significant increase in nation-state attacks since the pandemic took hold, as well as other types of cyberattacks originating from outside Europe and North America.

Today, it’s highly possible that a stakeholder with whom you collaborate regularly, or one of the firms within your supply chain, manufacturers its products in China, or elsewhere offshore. One of these companies may do business with a company in Russia, Iran, North Korea or the many other countries behind such attacks.

Now, your network could be vulnerable to a nation-state threat vector. And all it takes is the smallest of security shortcomings, somewhere along the line, for this to morph into a massive problem for you. It’s like a small drop in the ocean rippling out until it becomes a tsunami-sized wall.

This is now so problematic that many insurance companies no longer cover nation-state attacks. These underwriters are likening them to acts of war, which are not covered by most policies. Merck & Co.’s successfully took its insurers to court in 2022, arguing that the exclusion should only apply when use of armed forces was involved as part of a recognized conflict. The court agreed.

The result: As of March 31, 2023, Lloyds of London (one of the largest insurers in the world) introduced clearly-defined exclusion clauses for state-back cyberattacks. Other underwriters are following suit.

2. Insurance Underwriters are Tightening Policy Requirements

Today, it is common for insurance companies to require that clients be able to prove they are doing everything they can to ensure their networks are secure, and that employees have been trained in terms of processes to follow.

Typically, in the initial meeting to set up or change your cyber insurance policy, you will be asked questions such as:

When was your last security audit and what did it reveal?
What MFA solution do you use?
What are your response plans for both cyberattacks and recovery from those cyberattacks – and can we get a copy?
Do you store customer data such as names, addresses, credit card information – and how are you protecting that data?
As employees bring their devices to work (BYOD), how do you protect those devices, ensure the devices are healthy, and ensure the employees are who they say they are?

Although requirements vary slightly from carrier to carrier, based on the above questions, it will come as no surprise to find that most insurers require the following:

A recent security assessment, including penetration testing report.
Some form of multifactor authentication. Duo, which is offered by Cisco, is one good solution; we also offer others, including fob options when unions prevent cloud-based applications that impact personal devices.
Data backup and recovery software solutions. Many insurance companies are also starting to require that firms show they have solid disaster recovery plans and processes in place.
Having an Uninterruptible Power Supply (UPS) that will keep networks, equipment, point-of-sale terminals, laptops and other critical tools running in a power failure, helping to prevent data loss and apparatus damage, until your generator kicks in… or at least until you are able to shut down everything safely, if you don’t have a backup generator. Sometimes that buffer can be the difference between being able to get up and running again quickly, or not, and your insurance carrier knows this, too.

One of our partners, Eaton, has a wide selection of options – one that is likely right for you.
Ensuring that your Remote Desktop Protocol (RDP) is not exposed. Although the remote display and input capabilities are great for windows-based applications running on a server; it’s important that vulnerabilities are locked down.
Secure email – insurers want proof that you are using email filtering, validation and pre-screening for potentially malicious attachments and links.
Endpoint security. Again, we have partners with excellent products/ solutions for protecting endpoints.
Firewalls that block unsolicited and unwanted incoming network traffic and/or some form of SASE to protect your perimeter. The are excellent offerings from Zscaler, Extreme Networks, Cisco and Palo Alto for this.
Internal security controls, including policies, tools, process and procedures that have been implemented to safeguard your environment.
A vendor management plan that shows access rights, processes and protocols for revoking privileges when access is no longer needed, ways of logging and monitoring remote access by third-party companies, as well as “business” continuity plans for change of vendors and other solution providers.
Some insurers also require that your data be resident on servers in your home country and/or on servers in approved countries – and that your providers can show redundancies as needed.

With the way things have been changing over the past 12 months, we always recommend that clients review their cyber insurance policies carefully to ensure they are fully compliant as nearly 20% of claims were rejected in 2022.

We can help you with the audit, ensuring that you are compliant based on what your insurance company requires – and provide you with a plan for putting the necessary solutions in place, if you aren’t. If you’d like to learn more, or arrange for a security audit (usually the starting point), please feel free to contact us at [email protected] or call us at 416.429.0796 or 1.877.238.9944 (toll free).

Full Stack

Managed Services

Industries We Serve

When was your last security audit and what did it reveal?

What MFA solution do you use?

What are your response plans for both cyberattacks and recovery from those cyberattacks – and can we get a copy?

Do you store customer data such as names, addresses, credit card information – and how are you protecting that data?

As employees bring their devices to work (BYOD), how do you protect those devices, ensure the devices are healthy, and ensure the employees are who they say they are?

A recent security assessment, including penetration testing report.

Some form of multifactor authentication. Duo, which is offered by Cisco, is one good solution; we also offer others, including fob options when unions prevent cloud-based applications that impact personal devices.

Data backup and recovery software solutions. Many insurance companies are also starting to require that firms show they have solid disaster recovery plans and processes in place.

One of our partners, Eaton, has a wide selection of options – one that is likely right for you.

Ensuring that your Remote Desktop Protocol (RDP) is not exposed. Although the remote display and input capabilities are great for windows-based applications running on a server; it’s important that vulnerabilities are locked down.

Secure email – insurers want proof that you are using email filtering, validation and pre-screening for potentially malicious attachments and links.

Endpoint security. Again, we have partners with excellent products/ solutions for protecting endpoints.

Firewalls that block unsolicited and unwanted incoming network traffic and/or some form of SASE to protect your perimeter. The are excellent offerings from Zscaler, Extreme Networks, Cisco and Palo Alto for this.

Internal security controls, including policies, tools, process and procedures that have been implemented to safeguard your environment.

A vendor management plan that shows access rights, processes and protocols for revoking privileges when access is no longer needed, ways of logging and monitoring remote access by third-party companies, as well as “business” continuity plans for change of vendors and other solution providers.

Some insurers also require that your data be resident on servers in your home country and/or on servers in approved countries – and that your providers can show redundancies as needed.