What is Cyber Insurance Underwriting, How Has it Evolved, and What to Expect When You Apply
Cyber insurance underwriting is a process that insurance companies rely on to assess client risk, evaluate exposure, and model losses, such as the cost to recover from a data breach, ransomware attack, or other malicious cyber activity.
Due to a rise in claims (many of them stemming from the surge in ransomware), the underwriting process has changed significantly in recent years. As a result, insurers are revisiting their policies and enhancing their risk assessment processes.
If you’re getting ready to purchase cyber insurance or renew an existing policy, here’s how you can secure the right coverage.
Why Your Organization Needs Cyber Insurance
Every organization is vulnerable to a cyber attack. If you become a victim, cyber insurance can cover the cost your business may incur as result of the incident. Cyber insurance typically covers a common set of scenarios and impacts, including:
- Data loss
- Business interruption
- Lost profits
- Extortion and ransom payments
- Fines and penalties imposed by regulators
- Reputation management
- Credit and identity monitoring services for those impacted by a breach
Cyber insurance can also support and defend your organization from any legal liability arising from those affected by the incident, such as customers, employees, vendors, and business partners.
How Cyber Insurance Underwriting Has Evolved
As cyber attacks have become more commonplace and the frequency of claims has grown, the process of cyber insurance underwriting has evolved significantly.
To reduce risk and potential losses, insurers are becoming more diligent about risk assessment during the application process and throughout the life of the policy. They want to know what measures your organization is taking to protect against cyber attacks and mitigate their impact—and they are turning to technology for answers.
In addition to relying on traditional methods such as risk assessment questionnaires, which are often subjective and hard to verify, today’s sophisticated underwriting technology can shine a light on your security posture in a non-invasive and data-driven way. These tools can help underwriters evaluate the financial impact of a cyber attack on your business, compare your security performance to others in your sector, and assess cyber risk in your supply chain.
Once a policy is secured, insurers can continuously monitor your organization's cybersecurity health and keep a pulse on emerging risk throughout the period of coverage.
What Risks Do Cyber Insurance Underwriters Look For?
Many hackers rely on network and system vulnerabilities such as open ports, unpatched software, and misconfigured systems for their attacks. Insurers want to know that your organization is taking steps to understand and act on these risks. A failure to do so may result in a higher premium or declined coverage.
Other elements of a mature and established security management program that underwriters look for are a robust data management strategy, multi-factor authentication, network segmentation, and endpoint protection.
To ensure you can procure the right policy at the right cost, use a tool like Bitsight Security Ratings. Bitsight provides a complete view of hidden risk in your network and across your integrated supply chain, so that you can remediate it before it becomes an issue and help reduce potential cyber risk insurance claims in the future. Additionally, 50% of global cyber insurance gross written premiums are underwritten by Bitsight customers including AIG, Chubb, and Hartford.
Prepare For Your Cyber Insurance Application
When applying for cyber insurance or renewing a policy, preparation can ensure the best outcome. Engage multiple teams including security, IT, compliance, and legal—each has a role to play in providing timely input.
Next, begin gathering the information that potential insurance companies will need. Your list should include relevant data points that prove your organization’s commitment to sound cybersecurity.
Bitsight Security Ratings are a great way to prove your digital risk protection efforts to a cyber risk insurance provider. Presenting an external, objective view of your network’s cybersecurity posture will give your potential insurance provider a trusted view into what your organization does to protect from threats, and will make securing a cyber risk insurance policy smoother.
Ensure Your Policy Covers Relevant Risks
Before you sign on the dotted line, study your insurer’s contractual wording to avoid any misunderstanding of what is covered and what’s excluded. For example, if your organization is hit by ransomware and chooses to pay the ransom, verify that your organization is protected against those financial losses. Another common exclusion are state-sponsored cyber-attacks. If you’re in a high-risk sector, such as critical infrastructure, technology, or finance, this form of coverage is crucial.
Read more about cyber insurance, what is and isn’t covered, and other things to look for in an insurer.
Cyber Insurance FAQs
Cyber insurance is a policy intended to protect businesses from financial loss associated with a breach of privacy, breach of network security, network interruption, systems failure, or cyber extortion. Cyber losses are typically excluded from — or remain “silent” within (meaning that they are neither specifically granted nor specifically excluded) — traditional property and casualty insurance policies.
Coverage provided in a cyber insurance policy may include both first party expense coverage and third party liability coverage.
First Party – Expenses
- Services: Computer forensics, legal, PR, breach notification, and credit monitoring expenses
- Ransom demands
- Data restoration expenses
- Extra expenses incurred to run the business during a network interruption or systems failure (direct or contingent)
- Revenue loss arising out of a network interruption or systems failure (direct or contingent)
Third Party – Liability
- Fines and penalties
- Defense costs, judgements, or settlements (class actions)
Any company that operates a network or computer system, or relies on other companies to run their network or computer system.