Insurability: The Long Term Impacts of a Cyber Attack
01 October 2021
Blog submitted by Crowe MacKay LLP
If your business has been a victim of a cyber attack, you are well aware that the immediate priorities are to resume operations as quickly as possible and protect your information, requiring engaging with emergency cyber security consultants or paying a ransom. Your next step will be to invest in cyber security or increase your current safeguards.
Once you have resolved your cyber attack and implemented new processes and policies you may think your business is now safe, but what about the long-term impacts of the cyber attack? How will this effect the future of your business’ operations?
Applying for Cyber Security Insurance
Crowe MacKay’s technology consulting team have been assisting clients in reviewing their cyber security insurance policies, and have observed how the landscape of cyber insurance is changing, specifically surrounding the types of questions insurers are asking businesses.
Previously, insurers would ask a limited set of questions in the underwriting form, such as:
- Do you have backups?
- Do you have antivirus?
- Do you have a disaster recovery process?
Following the increase in successful cyber attacks and the somewhat lag from business to strengthen their defences, insurers are becoming more detailed and pointed in the questions they ask. Some examples of these include:
- Do you test your recovery process yearly?
- Do you have multi-factor authentication?
- Is your back-up procedure using technology that will protect from a Ransomware attack?
- What is the brand and type of firewalls and routers used?
- Do you have a cyber security incident recovery plan, and has it been tested
Answering “No” or providing an answer that does not meet the criteria of the insurer may result in much higher premiums or a refusal by the insurer to underwrite you, leaving your business fully exposed and with no safety net.
These changes are in response to the increase of cyber security attacks and claims made by businesses resulting in higher losses for insurers. You can expect to see this trend continue and even a potential tightening of the process in the future.
Selecting Cyber Security Insurance for Your Business
As you look to protect your business, insurers are looking to mitigate their risks. What does this mean when it comes to your cyber security insurance?
Crowe MacKay’s technology consultants have seen insurers adding limitative clauses to their policies which will drastically reduce the amount payable by the insurance to you in the event of a Cyber Attack.
Examples of clauses you may find in a policy are as follows:
- Authentication information stolen through social engineering
In the event the cyber attack, and losses, on your company originated from the acquisition of log-in credentials via social engineering or phishing, the limit can melt from an original $2 million coverage down to $20,000.
- Generic limitation on phishing attacks
Insurance policies may stipulate a lower limit for phishing attacks, generally to 1% of your total cover.
Can an Insurer Refuse Insurance After a Cyber Attack?
It has been reported to us, that numerous insurers refused to underwrite businesses if they had a cyber security event in the last year. More importantly, some of the cyber security incidents at the root of the refusal were benign in nature and resulted in no claim filed with the insurer.
A provider may refuse to renew your insurance while you are in the process of renewing your policy, potentially putting you in the position where you may end up with no insurance policy for a period of time. A cyber security event during such a period could result in a dramatic situation for your business.
For clients that have been able to secure a new policy following an event, we often see an increase in their premiums by more than 50%.
How to Protect Yourself from a Cyber Attack
With the continuous increase in sophisticated cyber attacks and the hardening of the insurance market, Crowe MacKay’s technology consultants strongly recommend companies take the proactive steps to strengthen their defences against hackers.
A successful cyber attack will not only damage your business in the short term but leave you more exposed in the long term if insurers refuse to underwrite your business. Executing a cyber security risk assessment is the first step in strengthening your position.