Your cybersecurity insurance provider just informed you that they are not renewing coverage for your business, or your application for a cyber liability policy was denied. DO NOT DESPAIR! There are plenty of options available to your business, and we will walk you through them.
There are 5 main reasons why your business might be denied cybersecurity coverage:
- You recently experienced a cyber attack
- You have not attained the minimum acceptable security controls.
- You have too much sensitive information
- You asked for too much insurance coverage
- You are asking for insurance from the wrong insurer
Each of these situations has a solution. Once you have determined which situation(s) you are in, follow these recommendations to find a way forward.
Scenario #1: Prior Security Incident
It is common for an insurance carrier to cover your business through one cybersecurity attack, but then cancel your policy or not offer a policy renewal once your contract ends. If this happens, work with your insurance broker and move on to another insurance provider.
When contacting your new insurance provider, you will need to disclose any previous cybersecurity incidents. They will ask for details about the attack and your response.
Expect that any new insurance company will require strict security controls and proof that you have implemented changes to your workstations, servers, and networks to avoid another security incident.
Once you have experienced a cybersecurity attack, be prepared for added barriers such as qualifying for insurance with higher annual costs, higher deductibles, and stricter limitations about what will be covered.
Scenario #2: Required Security Controls
Most cybersecurity insurance providers will request a self-report on your security controls via a questionnaire. That questionnaire can serve as a checklist for the security controls you should implement. The insurer may also tell you that your lack of MFA or failure to properly patch your systems was the key reason you were denied.
To ensure optimal cyber insurance coverage, implement these 6 critical security controls. Our blog, How to Secure the Best Price for Cyber Insurance, details each control and its importance.
There is an increased use of online scanning tools to qualify cyber insurance buyers. Many cybersecurity insurers now require a report from BitSight or SecurityScorecard (to name a few) before they will issue insurance.
Even if your insurer does not require a report from one of these platforms, you could opt to perform a 3rd party controls assessment of your infrastructure. These risk assessment tools have the benefit of giving you a tailored report about your business’ weaknesses, often with recommendations about how to address them.
Net Friends also provides services and consultations to our clients on a regular basis to ensure they have the security controls in place to protect them from cyber attacks. Additionally, we have recently added vCISO services if you are looking for more in depth support.
Scenario #3: High Volume of Sensitive Information
It typically takes managing millions of personal identifiable information (PII) records to make an insurer opt to deny coverage on this factor alone. If your business was denied coverage for having too much sensitive information you still have a few options.
First, make sure that your business has a very good reason to store, transmit, and/or maintain PII. Sometimes a business stores a lot of PII that it no longer needs. This can be due to a past business venture, an acquisition, or bad data governance.
If you discover that your business has a lot of unnecessary PII, it is best practice to eliminate this data according to your data retention requirements and within the bounds of any regulations that might apply to your business.
Keep in mind that to fully remove data from your system, you also must cycle out your data backups and confirm you eliminate all copies of the data.
Second, if your business does have a good reason to handle PII, then critically examine whether there are ways you could de-identify the data. There are multiple tools that can assist with this, but most require someone with programming skills to properly implement. This will become an expense for your business, but it will also significantly reduce your potential liability and reputational harm in the event of a data breach.
Third, if you do find that you need to maintain a lot of PII data, determine if you can increase your security controls to add more layers of protection around your data. Be prepared to make a case to a future insurance provider about all the safeguards that mitigate your risks of data loss. Net Friends can help you improve your security posture and critically examine your existing security controls so we can identify more effective ways to protect your business.
Scenario #4: Coverage Limits
When purchasing cybersecurity insurance, you are essentially transferring specific risks from your business to the insurer. However, it is important to strike a balance. Overestimating your risk exposure can make you appear less attractive to insurers.
We often think of just the top liability coverage limit (the big number), but additional risk costs are specified in most policies.
Breach notification response, data restoration, public relations, and computer fraud all have a specific claim limit and deductible amount. If you request too high a claim limit, or too low a deductible, this could make an insurer see your business as too much of a risk and result in a denial. A good insurance broker, like Insurance People, will properly consult you through the process to ensure you get the right mix and balance of claim limits and deductible levels.
Scenario #5: Insurer Mismatch
If your current insurer has discontinued cybersecurity coverage, do not worry. There are numerous providers in the market. While some insurers have exited the space due to large ransomware claims, many others find it profitable. Your broker can help you find a suitable insurer and ensure continuous coverage.
High premiums can be a significant obstacle, even if you qualify for cybersecurity insurance. Leverage your broker's expertise to find more competitive options. Emphasize the security measures you have implemented, and the steps taken to protect sensitive data.
Conclusion
Cybersecurity insurance mitigates the risk of a security incident or data breach. Having cybersecurity insurance is a competitive advantage and shows that your business takes cybersecurity risks seriously. You should not have to resort to just keeping some funds in capital reserves (also known as a “rainy day fund”).
Make sure you have a great working relationship with your insurance broker (such as Insurance People), as they can help you avoid getting denied or help you find coverage elsewhere if you do get denied.
We encourage all businesses to review this 13-item list of critical cybersecurity controls, and if you don’t have solutions in place for any one of these, please reach out to Net Friends today!
Follow us on LinkedIn.
Originally Published: August 23, 2022
Updated: October 31, 2024
WHAT TO READ NEXT:
- What Is Cyber Insurance & What Does It Cover?
- What Does Cyber Insurance NOT Cover?
- How to Secure the Best Price for Cyber Insurance
At Net Friends, we believe in the power of human expertise. While we leverage AI to enhance our content and processes, all blog posts are written and edited by our knowledgeable staff. You can trust you are getting insights directly from our team.