Pub. 11 2021-2022 Issue 3


Navigating Cyber Insurance in 2021 and Beyond

If you’re anything like the number of banks I polled at a recent cybersecurity conference, your cyber insurance policy is up for renewal in the next few months, if you haven’t already been through the cycle. For those of you nearing a renewal period, you should be aware that there are some pretty substantial changes coming your way, as this will most likely not be a simple “rinse and repeat” extension. If you have access to a legal team, now will be the time to use some of those hours to ensure you don’t miss some important and costly details of the contract.

Here is a high-level overview of some new and slightly shifting requirements you can expect to see:

Multifactor Authentication (MFA) requirement on all endpoints. This includes any external connections such as a VPN. Cyber insurance providers are now requiring MFA as a condition of insurance or at the very least an implementation plan with a concrete and short deadline. The security novelty of five years ago has now moved from a tool to get you brownie points with your regulator to a tool to get you insured. If you don’t already have something in place today, it’s a good idea to start the vetting process now.

Questionnaire about security controls in renewal paperwork. It’s not quite an audit request list, but you can expect IT to be more involved in filling out the re-up packet than they have in the past. This may include questions about your backup methods and scope, Incident Response procedures and testing, and details about your Disaster Recovery Plan.

Coverage amounts may decrease, or your premiums may be higher. In at least one instance, we heard from a bank that coverage specific to ransomware payment was broken out into its own category and was reduced from a maximum of $10 million to $2 million. Increases of 5-15% are generally being reported in this renewal cycle.

Restrictive lists of authorized third-party providers. This isn’t necessarily new, but it’s worth looking at when you do renew just to ensure there haven’t been any changes. Vendors in the arena of incident response, forensics, disaster recovery and continuity, and even ransomware negotiation must be approved by your cyber insurance carrier before they will pay out for services rendered in a crisis. It’s good to have that list well in advance of an incident (preferably printed out somewhere in your IRP or DRP with your other contacts) so that you can quickly reach the right people, even if your systems are offline.

Cyber insurance, as with many things in the information security realm, is growing more complex. But with a bit of planning, you can stay ahead of the curve and keep your risk management strategy aligned with your business goals.