All I Want for Christmas is Cyber Insurance (But the Grinch Stole My Coverage)

Two experts unpack the riddle of how to get cyber insurance and explain why rates have gone up, what the insurers are looking for, and how to get the policy your SME needs.

By: F12


Cybersecurity has been trending over the past few years. With the onset of COVID, the number of cyber-attacks has been on a steep rise. But what’s also been on the rise is the price companies are paying for their cyber insurance—that is, if they can get insurance at all. Our CMO Devon Gillard recently chatted with two insurance industry vets from Acera Insurance who specialize in cyber insurance, Aliya Daya and Sean Graham. The three discussed difficulties that organizations are having obtaining cyber insurance and, most importantly, what you can do to get past the finish line with an insurance company.

 Why has it become so difficult for companies to get cyber insurance?

Aliya Daya: The most likely reason for the sudden change is COVID. Everybody suddenly pivoted to working remotely, and a lot of gaps opened up within an organization’s cyber hygiene. Remember: in cybersecurity, the human is the weakest link. So when an employee is working from home, they’re removed from the office ecosystem where there is a bit more control over the data. And so due to these emerging gaps, cyber crime increased significantly. And this prompted the uptick in cyber hygiene requirements for businesses, as well as increased premiums and limitations on who could get insured.

Sean Graham: In Canada, we’ve been experiencing some considerable tightening of the market regarding insurance requirements. That comes alongside a real price increase. We’ve just come through some of the hardest insurance markets we’ve ever seen. The insurance market had massive losses that weren’t being covered by the premiums being collected. They were losing money on a large scale. Last year, the cyber insurance market experienced an increase in losses of about 1200%. Add to that the fact that Canada is top three on the naughty list when it comes to cyber hygiene and security, which is why it’s becoming so difficult for Canadian companies to buy cyber insurance.

Will the requirements needed to qualify for cyber insurance keep going up?

 AD: I believe the requirements for cyber insurance will keep ramping up, but I think it’s going to be targeted towards certain sectors or industries. Healthcare, for example, will certainly have a higher level of requirements versus a smaller organization in the construction industry with only two or three employees.

How do I convince a cyber insurance company to insure me?

AD: Training is the crux and the cornerstone of your cybersecurity. Having a good training program implemented in your organization will lower your insurance rates. That training program can be presented to the insurer and allow the underwriter to feel a certain comfort that simply answering technical questions won’t provide. A cybersecurity training program is one thing that will get your company across that finish line with insurers.

Devon Gillard: That training is a number one action item for everybody. Ensure that your company has a cyber training program; insurers love that. A good program, one that F12 customers may already have, is provides validation and reports back on who has taken the test and how they scored.

Who am I working with when buying cyber insurance?

AD: Agents, or brokers, are your advocates when purchasing cyber insurance. A broker is the intermediary between your organization and the insurance company. The agent collects data on your company and negotiates the terms on your behalf with a specific insurer (based on the type of insurance your company needs). An agent will strategically pick the right provider and insurance on your behalf.

SG: For most people buying insurance, a standard insurance policy can be difficult to read. It’s tricky to understand what the policy actually covers—particularly in the cyber realm. If you don’t have an agent advocating on your behalf, someone who knows the insurers and understands their wording, you could be buying a completely useless tool and paying a lot of money for it.

If a company has worked hard on their cybersecurity, does that lessen the need for cyber insurance?

SG: One of the biggest exposures when it comes to your cyber insurance is the interruption to your business as the result of a cyber-attack. For small- to medium-enterprises, you could be looking at a potential shut down of 30 days to six months. A good example is a start-up laboratory which we work. They’re a small company that has now been shut down for nearly 18 months thanks to a breach in their cybersecurity. They lost all of their data and are slowly rebuilding and trying to re-qualify for their funding. And their investors are asking them, “Why weren’t you properly insured for this?” And they just didn’t realize the exposure on the business interruption side of things.

AD: Keep in mind that there are various forms of “self-insurance”. A company could request a higher deductible—then you are self-insuring to that deductible amount. I work with some organizations who have $100,000 deductibles and high limits of $5 or $10 million.

What are some other ways I can protect my organization from cyber crime?

AD: MFA encryption (multi-factor authentication) would be number two, right after training your people. The third on the list would be controlling the entry and exit points into your organization.

DG: MFA means you’re using more than just a username and password, because those are stolen all the time. You need to also have a token, or an app, or some other way of approving the login.

SG: I can’t say enough about training. But you can also focus on ensuring your patches and monitor logs are up to date. And when it comes to MFA, remember that insurers look for multi-factor authentication, not two-factor authentication. 2FA is not considered strong enough by insurance standards.

How can I get the cyber insurance company to say “yes” to my organization?

AD: Make sure you have the right advocate who is going in with the correct submission. That means holistically telling your organization’s story, along with the cybersecurity checklist they’re taking in with them. And make sure that your advocate actually understands cyber. There’s a lot of noise out there with respect to different cyber policies, but I don’t think there’s a lot of specialization.

Are you a small- to medium-enterprise finding it difficult to get cyber insurance? F12 can help you make sure your cybersecurity is strong enough to both protect your business and get the insurance companies to take notice. Reach out to us today to discuss how we can help you meet the cybersecurity requirements to get the coverage you need.