Insurers make money by assuming the business risks of their customers for a fee. They make a profit only if the estimated aggregate cost of the risk for all their customers is less than the aggregate fees for assuming the risk. Companies seeking cyber insurance face technology-based security threats, so understanding technology is essential for insurers to make sound underwriting decisions. The problem is that insurers have been consistently behind their financial services peers in understanding leading-edge technology enablers. Many have no idea how to assess the financial, reputational and regulatory risks they face and would rather walk away.
Insurun has compiled a listing of the top reasons insurers decline cyber insurance based on more than 100 companies we helped obtain coverage. Let’s look at the top four reasons insurers decline applications for cyber coverages.
The applicant allows their employees to bring and use their personal computers to work (BYOD). BYOD has become a widely accepted business practice as companies like IBM, Citrix and SAP have all built products around using and securing BYOD. However, like other business enablers, BYOD is a security weakness only in the absence of a cybersecurity policy that governs its acceptable use and configuration.
The applicant has end of life (EOL) systems. Okay, many businesses have EOL systems. There’s nothing wrong with companies that have old systems they intend to replace. On the contrary, investment bankers and venture capitalists tend to view companies that actively retire their legacy systems as forward thinkers and innovators. EOL security issues come about when a company doesn’t have a schedule for retiring EOLs, or when the EOLs use older, more threat-vulnerable technologies, or both.
The applicant network security controls are too “low” of a maturity level to process credit card information for many customers. Aside from its sophomoric wording, this reason for decline provides the strongest indication of the insurer’s misunderstanding of even the most fundamental cybersecurity concepts. First, the HHS Cybersecurity Maturity Model has levels ranging from “initial” to “optimize.” Low is not one of them. Second, holding PII falls under data security, not network security. Third and most egregious, this finding implies that the applicant “processes” payment card data when, in fact, it uses a third party like Stripe for this purpose. At no point in this process is payment card information captured by Stripe stored or processed by the applicant. Even if it could somehow find a way to capture this information, it would be useless as it was already encrypted at the point of sale.
The applicant uses a third-party cloud service provider. While it may be true that companies don’t have a traditional boundary network nowadays, they most definitely have a virtual network. VPN technology has enabled networks to grow beyond conventional boundaries and into homes, third-party service providers and customers. But be careful. While AWS, Microsoft or Google may be handling important “stuff,” they are not securing it and cannot be relied upon to do so out of the box. AWS offers only rudimentary physical security and failover capabilities as part of its Shared Responsibility Model. Everything else falls square upon the applicant.
The challenge here is twofold. Insurers make underwriting decisions based on technologies they don’t fully understand, while applicants don’t fully understand cybersecurity frameworks. Therefore, applicants cannot apply them to their IT infrastructures. The solution would be a method in which applicants can prove to insurers that their cybersecurity posture meets the security control requirements of one or more widely accepted standards. This requires that the applicant engage a qualified, unbiased third party to perform a detailed review of their cybersecurity posture against frameworks like the NIST 800-171—”Protecting Unclassified Information in Nonfederal Information Systems and Organizations.”
After the examination, the third party renders a security “attestation” report to the applicant that interested parties like regulators, banks and insurers review and then make better, more accurate and more objective underwriting decisions.
Cybersecurity applicants are likely to face more, not less pressure from third parties to prove they adhere to cybersecurity practices, rendering ongoing cybersecurity and cybersecurity attestation services critical parts of their businesses.