Inside the cyber insurance application process
The Imprivata team shares lessons learned from recent completion of the cyber insurance application process. Start early and be ready and transparent.
Five years ago, cyber insurance was an add-on to larger policy discussions. Today, cyber insurance has jumped to the front of the line and has become one of the most expensive policies under a company’s insurance coverage. Securing a cyber insurance policy is now more time-consuming, complex, and expensive.
In the past year, we’ve heard from many of our customers about the challenges they’ve faced in both acquiring and renewing their policies.
At Imprivata, we recently completed the process of renewing our cyber insurance policy and shared our experience in a webinar. We discussed how the cyber insurance application process has changed, as well as some key learning moments and best practices that may help as you begin your own journey. In case you didn’t get to join us or don’t have time for the full conversation (which I highly recommend!), I wanted to provide some highlights.
Ransomware is driving cyber insurance premiums and demand
It’s no secret that ransomware is on the rise. In fact, ransomware attacks happen every eight minutes. Marsh & McLennan estimates that 80% of their customers are now asking for cyber insurance, up from 40% only a few years ago.
Ransomware is also changing how insurers think about cyber insurance. Today, 75% of policy claims are related to ransomware, with payouts in the millions. The losses are so big that insurance companies are raising premiums and taking on less risk. As a result, insurers are more conservative regarding who they cover and for how much.
Start early for your best chance to meet requirements
If you are renewing or looking for first-time coverage, start early and be prepared for a lengthy process. Ask for the new application forms. Insurers are updating forms regularly, and these forms are more detailed than ever before.
What used to be a seven-question application has evolved into a 10-page document broken out into multiple categories. It reads more like an audit questionnaire. Underwriters want to get into the weeds to understand what security controls you have – or don’t have – in place.
Our team, which included senior leadership from finance, IT, security, and compliance, began with a pre-screening process. We reviewed the application questions and determined how comfortable we were responding “yes.” This led to discussions about our security controls and coincided with a year-long internal security review. We examined our perimeter protection critical services, expanded our multifactor authentication capabilities, and upgraded to next-generation antivirus software. We then reviewed our incidence response plans, held tabletop exercises, and tested controls to verify everything worked. This took time and planning, of course, but in the end, it helped us feel confident in our security controls and application responses.
According to Marsh & McLennan, insurers are looking for companies with precise controls that can answer “yes” to the application questions. If you can’t respond yes, figure out why. Perhaps the question does not apply to your organization, or can you include more context. Fix the problem or develop a plan to achieve a “yes” response before renewal. You might need additional software and IT investments.
Starting early helps you have time to prepare and meet requirements. Underwriters look at application responses, and if they see “no” too frequently they won’t move forward with discussions.
Be transparent, consider your insurer to be a trusted partner
The underwriting process is long and involved. Companies should be transparent with carriers and view them as trusted partners. Our transparency made the insurance companies feel comfortable – so much so that they competed for our business. This put Imprivata in a better position to secure the best policy and premium.
In addition to the written application, be prepared for multiple calls with the underwriter and their IT/security expert. These calls can be very detailed and specific to how your controls are set up. Completing pre-screening exercises and testing of controls will help prepare you for the calls and allow you to answer truthfully and confidently.
These calls are not about uncovering past breaches, and should be friendly – they’re designed to help the underwriter better understand your business and your security strategies, not to maliciously point out any gaps you have. The experts that work with insurance companies understand the technology, evolving threat landscape, and best practices. It’s an opportunity to ask them questions about your controls and where they see potential areas for improvement.
Viewing the insurance carrier as a partner and being transparent will help you in the long run. Remember, when you sign the application and participate in calls, you certify that the responses are accurate. If the insurer finds out the controls were not in place, they can deny a claim.
Determining coverage and premiums
Cybersecurity is evolving every day, and there is no magic formula for determining how much coverage a company needs. Marsh & McLennan say premiums are increasing as much as 200-300%, and companies are taking a more pragmatic approach. Policy decisions are often based on the need to satisfy contracts or how much a company can afford to spend. Companies can work with their agent to evaluate plan options and take on higher deductibles to help manage premiums.
Securing the best rate and policy coverage is all about lowering your risk and the carrier’s risk. Insurance providers are looking for companies that leverage best practices and proven technologies, including multifactor authentication (MFA), secure remote access, privileged access management (PAM), single sign-on (SSO), endpoint protection, and other identity governance tools.
Start planning today if you are considering cyber insurance or renewing a policy. The process can seem exhausting at times. Be prepared and transparent with your security strategy. Collaborate early with insurers to understand what they are looking for and determine if your security and IT infrastructure meets their requirements. If not, develop a plan to address any gaps.
To hear the full cyber insurance discussion, you can watch the webinar on demand. For more tips, download our eBook, “Trust in zero trust: Your cybersecurity insurer does.”