March 3, 2022

Last Updated on January 19, 2024

On a recent episode of The Virtual CISO Podcast, host John Verry invokes his inner Nostradamus to forecast the most significant information security and privacy developments coming in 2022.

“I don’t think it’s that crazy to play Nostradamus if you base your predictions on where we are today,” John says. His #2 prediction does seem like a pretty safe bet: cyber liability insurance (CLI) premiums will continue to rise, and cyber insurers’ due diligence efforts will ramp up significantly.

Why are CLI costs rising and by how much?

John’s prediction is that CLI premiums will increase roughly 25% across the board in 2022, notwithstanding numerous other factors affecting specific sectors and businesses. The major reason for this can be summed up in two words: “ransomware payouts.” Some of the industries hardest hit by ransomware, such as healthcare and education, rely most heavily on CLI as “damage control” or a “safety net” to offset some of their high cyber risk.

As their payouts and risks increase, CLI providers will naturally take steps to balance things out, like increasing prices, making their terms more restrictive, offering lower payout limits and declining more applications. Further, they are likely to require their customers to attest to a higher standard of security.

As John says,

“I think this is the only logical response to the fact that we’ve seen approximately a tripling of the number of cybercrimes in the past year.”

 

What does CLI provider due diligence look like?

For CLI providers to keep their costs in check, the underwriting/due diligence process has historically been rather limited. The underwriter needs to figure out how risky your business is, how much coverage you’ll be offered, and how much to charge for that level of coverage.

But what facts are these decisions based on? Generally, the CLI provider relies on self-report questionnaires. These are becoming increasingly detailed as providers seek to determine whether you have a robust cyber risk management program or not. Some questions you may see include:

  • Do you have various “table stakes” security controls like multi-factor authentication (MFA), identity and access management, smart endpoint detection, data/network segregation, encryption, etc., in place?
  • Do you conduct security awareness training?
  • Do you have adequate data backup and restoration procedures in place?
  • Do you have a third-party risk management program?
  • Do you have a business continuity program (or at least disaster recovery)?
  • Do you have an in-house or third-party security operations center (SOC)?
  • Do you have documented security policies and procedures?
  • Is your senior management involved in your security program?
  • Do you regularly conduct risk analysis and risk management?
  • Do you have trusted third-party security attestations like an ISO 27001 certification or a SOC 2 report?

If you want your business to get CLI coverage with a competitive premium, these are the kinds of controls and practices you’ll need to demonstrate. All else being equal, nothing says “provably secure” quite like a recognized third-party attestation, because it corroborates your self-report.\

Next Steps

Ready to hear the rest of John’s predictions? Click here.

Want to ensure your security policy is in sync with what a CLI provider is looking for and can offer for coverage? Check out this post: 5 Critical Steps to Align Security Policy with Your Cyber Liability Insurance Policy