How to Get Lower Cyber Insurance Premiums

Image of Locks Over a Computer Screen

If your cyber insurance premium blew up this year, you’re not alone. Cyber insurance rates have increased 110% in the U.S. for the first quarter of 2022 according to Marsh's Global Insurance Market Index. And to make the situation even more frustrating, the application process has become extremely complex as insurance companies ask hundreds of questions at renewal time. 

In this post, we’ll describe the key ways you can get lower cyber insurance premiums and survive endless underwriting questionnaires while still getting the coverage essential to your business. 

How to Reduce Your Cyber Insurance Premiums 

The following policies and tools have the dual benefit of making you more secure and convincing underwriters that you’re a lower risk. Ross Ingersoll, an executive risk & cyber account executive at one of HBS's insurance-industry partners, Holmes Murphy, in Des Moines, Iowa, points to three security policies/tools every insurance carrier wants to see. 

Multifactor Authentication 

“MFA is, by far, the leading indicator to prevent ransomware losses, and it’s the number one thing carriers are looking for,” Ingersoll says. Without a sound MFA policy, you may be denied coverage. And a general answer of “yes, we have MFA” won’t satisfy most carriers. They want details on how your MFA policy protects admin level users, secures all remote access and secures corporate email on non-corporate devices and web apps. 

Endpoint Detection-and-Response 

Ransomware struggles to get past these systems that can catch threats early and shut them down. An IBM study found that organizations using security AI and automation spend 80% less handling a breach. A solution like HBS’s Managed XDR can detect anomalous activity, correlate actions into a threat picture and proactively shut down attacks. And that often happens in milliseconds. 

Solid Backup/Recovery Procedures 

Ingersoll asks his clients: “Do you have an offline or segregated backup solution? Have you tested it frequently? Monthly? Quarterly? Is access to the backup restricted by MFA? Along with that, do you have an incident response plan to access the backup and have you tested the IR plan?” 

Why Premiums Have Jumped 

The last couple of years have rocked the cyber insurance landscape with three factors hitting almost simultaneously. Insurance companies had set rates artificially low because they lacked enough history to do accurate underwriting. Then the ransomware wave and remote workforces arrived simultaneously, sending claims skyrocketing. 

Put all that together, and you get an industry trying to right-size its revenue in a hurry by jacking up rates. At the same time, cyber insurance companies have taken other steps to control their losses: 

  • Stop offering coverage. Some companies have decided it’s not worth the risk. Reuters has reported that Lloyds of London, which owns 20% of the worldwide cyber insurance market, won’t be taking on cyber business in 2022. And with fewer companies offering coverage, rates go up. 
  • Reduce limits. You may not be able to buy the same coverage this year at any price. 
  • Make underwriting tougher. “Five years ago, if you had antivirus and a firewall, you qualified,” says Ingersoll at Holmes Murphy. Now, HBS sees applications drilling down on clients’ cybersecurity positions with 250 or more detailed questions. 
  • Deny coverage. Some clients simply get labeled too risky to cover. Or they can’t get coverage for specific high-ticket threats, such as ransomware attacks. 

A Case Study In Lower Cyber Insurance Premiums 

You probably can’t avoid a price hike. But your actions can lead directly to lower cyber insurance rates. Consider the following story from Ingersoll of Holmes Murphy: 

Ingersoll recently met with a client six months before their cyber insurance policy was up for renewal. The client lacked several of the key security tools described below, but on Ingersoll’s advice, they quickly ramped up their security posture. 

To measure the ROI, Ingersoll got insurance quotes before the improvements and after. With no security adjustments, the $3 million policy’s price would have jumped from $20,000/year to $80,000/year. And ransomware incidents would have been limited to $100,000 of coverage. 

With the new security policies/tools in place, the client kept their original coverage amounts and saw the price rise to $35,000. That’s still a 75% increase—but it’s a lot better than paying 300% more for less coverage. 

“The increase may be inevitable,” Ingersoll says. “But you can manage the increase while maintaining a robust policy. That’s the moral of that situation.” 

How to Prepare for Tougher Underwriting 

Again, this is something that should be part of your normal practice, especially after the Log4j breach showed how rapidly compromised source code can wreak widespread damage. Many software developers have relied heavily on outsourcing work to programmers in Russia and eastern Europe in recent years. It will be a massive task to comb through all of your code for elements with Russian origins. But this process may become necessary to ensure that no allies-turned-adversaries left a pathway into your system for Russia to potentially exploit. 

Report What You’re Seeing 

Along with focusing on the key areas mentioned, you should brace for a significant time investment at policy renewal time. For both new policies and renewals, expect a long list of questions probing deeply into your information security policies and tools. We recently helped a client respond to 275 individual questions from their cyber insurance carrier. 

So start 5-6 months before the renewal is due and get help from third-party experts such as HBS and an experienced insurance broker. 

Expect questions like these: 

  • What percentage of your IT budget is allocated to information security? 
  • Do you have a Chief Information Security Officer or equivalent? 
  • Which cybersecurity frameworks do you follow? 
  • Do you engage a third party to provide an assessment of your cybersecurity program and controls? 
  • How do you track your software inventory by operating system and application version? 
  • Do you implement standard audit logging policies for hardware devices and software? 
  • What are your password policies? 
  • How do you encrypt data? 

    HBS consultants help organizations create customized security plans that not only help with cyber insurance costs but secure the organization’s future. Contact us today for a conversation about how we can help boost your security posture.