For most companies, cybersecurity insurance is an expensive proposition. No one enjoys paying the annual premiums, but cyber insurance is another tool in a company’s risk mitigation tool chest.
As a long-time CISO who has negotiated several cyber insurance deals, I’ve developed a roadmap for getting the best deal possible. My advice for companies renewing their cyber insurance or buying for the first time:
- Work with a broker to cast a wide net when looking for insurance carriers. Brokers know which carriers are reputable and easy to work with, and ultimately, how they have processed claims in the past. This can avoid many headaches in the future when you need to make a claim.
- During the bidding process, be transparent about your security program, your plans, your previous audits, your past data breaches, everything.
- If seeking high coverage amounts, consider insurance level tiers allowing you to spread your risk across multiple carriers.
Looking for the best rate is critical for many companies because premium rates have increased dramatically over the past three to five years. Cyber insurance users have seen renewal rate increases of at least 15 percent each quarter between the first quarter of 2021 and the fourth quarter of 2022, according to Fitch Ratings.
In the five quarters starting with the second quarter of 2021, premium rates went up 25.5 percent or more from quarter to quarter.
While the cost of premiums have risen at a slower rate since the third quarter of 2002, rates are likely to keep going up. One factor is that some insurance carriers are dropping cyber insurance coverage because the costs involved with reimbursing customers for breaches have become exponentially higher in recent years. This has had a major effect on small and medium-sized businesses when they attempt to renew.
A Helping Hand
My recommendation is that companies buying cyber insurance work with a broker to help them through the process. The broker can help set up meetings with multiple insurance carriers and assist customers with filling out questionnaires from carriers. A good broker can also tell insurance customers about the big cybersecurity concerns that carriers have, which often change from year to year.
To get the best deal, I found success meeting with my cyber insurance carriers simultaneously during meetings set up by my brokers. The meeting was completely open to any topic, and every carrier had the opportunity to ask questions.
It’s worth noting that companies aren’t required to use one insurance carrier for their cyber insurance needs. Using a tiered approach can be beneficial. One carrier may give the best rates when it provides the first $5 million to $10 million of coverage, while a second carrier may provide the best rate between $10 million and $30 million, a third may be the best choice for coverage from $30 million to $50 million, and so on.
This tiering of coverage allows carriers to insure the amount they are comfortable with, and in many cases, helps customers to receive better rates. In addition, it spreads out the risk for the customer, lessening the chances that any single carrier will not be able to cover the entire cost of a breach. Even if one carrier can’t or won’t cover the costs of a breach, your five other carriers collectively may be able to cover most of the costs.
You can typically find several companies that are willing to cover $5 million and $10 million chunks, but fewer companies can cover $50 million or $100 million chunks. More than likely, if you use large carriers for a security event, you may not be the only client in their portfolio dealing with the same problem. In some cases, a carrier might have multiple claims for the same global incident, stretching its ability to pay claims.
Meanwhile, I suggest insurance buyers be completely transparent about their current cybersecurity stance, past performance and their future plans. Companies seeking insurance should be prepared to discuss in detail their security posture for potential carriers to review during these meetings.
I would typically spend a couple months preceding these meetings preparing for the discussion and answering any questionnaires submitted by the carriers. This includes plans for improvement, what has changed since last year’s renewal, management of your third-party vendors and partners, how you have dealt with highly publicized breaches others have suffered, results of pen testing exercises, and more.
Carriers want to know how your company has dealt with past data breaches and how it is defending against the current set of major vulnerabilities. They are seeking a level of assurance that you are prepared.
I recommend buyers answer any question a carrier asks during those evaluation meetings. Carriers should walk away from meetings with buyers with total confidence they’ve seen everything the buyer is doing to secure its IT systems.
Carriers do not want to be surprised by a breach that they could have foreseen if the customer had offered detailed information. Being less than honest about your security posture can set you up to have your claim denied.
When you’re not transparent, you’re rolling the dice that you’re not going to have an issue. When you do have an issue, carriers ask, “Why didn’t you tell us?” Initial transparency is key to avoiding surprises for both the customer and the carrier later on in their relationship.
Having a great relationship with your broker and carriers is key through not only the renewal process but also throughout the year. My practice was to report all incidents, regardless of scope or impact. This way, carriers saw that we were open with them and not trying to be deceitful in our relationship. This openness generated a lot of good will with the carriers when we actually needed their support.
Outside of maintaining a good security posture with constantly evolving improvement, I was able to reduce my company’s insurance premiums most years through this process. I also viewed a positive insurance renewal as a great talking point to senior leadership or the board. What better evaluation of your current security program than to discuss how carriers, which carry actual financial risk based on your security posture, have evaluated you?
Like all insurance markets, previous year’s losses will influence this year’s rates. You should understand that there will be years in which the market will dictate that insurance rates are going to increase across the board regardless of how sound your posture is or how many improvements you have made since last year.
Your broker can provide you some insight to what they are seeing. In those years, instead of having the mindset of trying to lower your costs, you may have to have a strategy of minimizing the increase. A broker can help you understand the size of the average increase and then compare it to any increase you are seeing.