Adding C to ESG: why cyber risk management is a critical ESG factor in your investment decision-making copy
Adding C to ESG: why cyber risk management is a critical ESG factor in your investment decision-making copy
Cyber insurance is quickly becoming a must-have for businesses of all sizes. The growing threat of attacks has led organisations to consider cyber insurance as little more than the “cost of doing business”. The journey to cyber coverage can be a tricky one, with a lot of organisations finding they can’t obtain the coverage they need. So, what are they supposed to do?
Why are applications being declined more than before?
The challenges in gaining cyber insurance aren’t just experienced by certain sectors or sizes of organisation, it’s a widespread problem. A lot of the issues that companies face are the result of the “hardening market”. Not only are quotes becoming more expensive, but they’re also increasingly difficult to obtain. Underwriters are having to ask a greater number of questions, and a growing number report that they’re performing full risk-analysis on organisations as part of the insurance assessment.
This has come as a bit of a shock, as previously quotes were easier to work out – the FCA (Financial Conduct Authority) had its own calculations on how much it would cost for an organisation to recover from a cyber attack, allowing insurers to quickly generate a quote based on these numbers*. Changes, like the 230% increase in ransomware attacks, have led to an increase in the severity and amount of claims that insurers are having to deal with. Now the exact impact and damage of an attack is incredibly complex to estimate, and securing coverage can be challenging as a result. This is just one factor that has made the cyber insurance market much more difficult to navigate. Both first-time submissions and renewals are requiring more attention and action on the part of insurers, brokers, and insureds, due to the changes in cyber threats.
Why have I been refused?
Firstly, an attack in and of itself is not always the reason why an application has been denied; however, the environment and practices which have led to an attack might be. Consider it a bit like home insurance. If you’ve been burgled, that doesn’t mean you will be denied coverage in the future – but, if you were burgled because you didn’t lock your door, then that could be a problem! A number of insurers are going to be looking for a commitment to managing risk and continued evidence of a good risk posture throughout the lifespan of a policy. This is on top of a priority-driven approach to security that focuses on areas that are considered important by insurers.
Common reasons for rejection:
Lack of endpoint security
For a lot of companies, endpoint security seems like the most important point and they’re likely to invest a lot of time and money into ensuring it's covered. However, gaps are still common. For example, in a post-COVID world, the rise of working from home has led to an increased reliance on laptops and mobile devices. Although the majority of these will be supplied by an organisation, there is still the risk of personal devices being used to access your network – and they might not have the same level of protection as company-supplied hardware.
Long gone are the days when an organisation could just rely on antivirus software for their endpoint security. Now, advanced tools that mitigate the risk of a DDoS (Direct Denial of Service) attack, all the way to the allocation of VPN (Virtual Private Network) for external users, are being recommended. The question is: if an application has been rejected on the basis of insufficient endpoint security – which faults should be addressed?
Working out exactly where vulnerabilities lie is a key step for organisations to figure out their next security move. Utilising risk management tools that generate a quick and simple to understand risk profile of an organisation are a good idea – they’ll provide a clear picture of what needs to be addressed. We’ve developed our own products with this in mind.
Lack of continuous risk monitoring capability in the face of the ever-changing threat landscape - H3
A lot of insurers don’t just want to see evidence of good risk management only at the point of submission or renewal (a mistake a lot of organisations make!). Rather, engaging with risk across the entire lifespan of a policy will likely make an organisation a much more viable candidate. The best way to accomplish this is to look into continuous risk monitoring. Rather than constantly running manual reports and presenting them as evidence of proper risk management, there are solutions available that offer round-the-clock protection, alerting users of vulnerabilities as they emerge.
This has become all the more important, given the changing nature of cyber risk with new threats cropping up all the time. The same can be said for zero-day risks that can emerge at any place, and at any time. Ensuring a good risk posture has never been more important – it’s no surprise then that some insurers are reluctant to cover companies that can’t accurately track new vulnerability points or produce reaction plans. Continuous risk monitoring offers 24/7 protection, which not only increases the likelihood of a successful insurance application, but also makes risk a lot more manageable, as vulnerabilities can be handled on a “as and when” basis.
Lack of a business continuity plan or threat response
Similar to the above, creating a plan for the worst-case scenario (a successful cyber attack) is now a prerogative for all businesses. Some organisations might consider this move counter-intuitive, as they’re so focussed on preventing an attack in the first place. However, due to the increase in cyber attacks across the board, and the widely held belief that it’s a matter of “when” rather than “if'', having a plan to re-onboard a network or system post-attack is more important than ever.
From an insurer’s point of view, implementing a BCP (Business Continuity Plan) that’s relevant to changing circumstances in an organisation, for example, processes that reflect a culture of working from home post-COVID, is a clear example of willingness to engage with risk. It also offers them further insight into what exactly they’ll be covering and for how long, as a plan like this will include an expected recovery time and what resources are required to reconfigure or get a system back online.
With this in mind, it’s clear why not having a plan in place is such a red flag for some insurers. The same can be said for integrating adequate threat response into a business. Before a company defaults to their recovery plan, what they do in the first minutes, hours, and days of an attack can make a huge difference. This response protocol will include a list of key contacts, escalation criteria, and a process map for what to do when a breach or attack is spotted. Again, for insurers, it’s evidence of proper risk engagement and an attempt to mitigate the results of an attack. For businesses, it can mean the difference between a few days or weeks of downtime and shutting up shop forever.
Lack of proper cyber risk and security training
Good cyber health doesn’t stop at the IT department! Common attack vectors (ways in which hackers attempt to access systems and networks) exist across an entire business. The rise of sophisticated phishing attempts (faked emails and messages) will often target non-board and non-technical team members in their attempts to steal log-in information or get unsuspecting employees to download malware directly onto their computers.
Training programmes for cyber threats has become as important for businesses as traditional health and safety programmes. What exactly is covered in each programme will largely depend on the nature of the business itself, but common training includes: how to spot phishing emails, how to report a suspected security incident, and what to do when a team believes an attack is happening.
Alongside keeping training logs, it’s a good idea to carry out tests; there are plenty of options available including phishing simulations. Although proper training is an insurance imperative for a lot of providers, by implementing it, a business can turn its staff into a “human firewall” that acts as an important first line of defence against attacks.
A relatively new item on the insurers checklist, MFA (Multi Factor Authentication) is easy to implement, but also easy to miss. Considered a cyber must-have since around 2021, this extra layer of authentication is something organisations have already experienced. It involves entering a code after a log-in password. This code is normally delivered from an authenticator app (like Google Authenticator) or is delivered by a text message. There are even now biometric methods like fingerprint and facial recognition.
Both organisations at first-time submission and those at renewal are being asked more and more to show evidence of MFA. Companies should look at implementing MFA “top-down”. By this, we mean starting with users that have the most network or admin access to make sure they’re protected; if these team members are targeted, their stolen log-in details can cause the most damage. Companies should also remember to focus on individuals and teams that have access to sensitive information (another common target for criminals) like financial, healthcare, HR, and legal teams.
It’s not a situation that anyone wants to find themselves in, but refusals are increasingly common. When an organisation has had a cyber application rejected, the first thing they should do is to find out on what terms, or for what reasons, they’ve been denied coverage. The first step would be for an organisation to contact the insurer directly – or more commonly, to get in touch with their broker.
Brokers occupy a unique position in the insurance value chain, in that while they're attempting to get an insured the best deal possible, at the same time they are also trying to translate the requirements of insurance underwriters. This means they have a very good insight into exactly what an underwriter will be looking for. They’ll be ready to give organisations advice on what needs to be changed before reapplying, and as we discussed earlier, the hardening market has meant that insurers are asking a lot more from their customers. The demands on brokers can be quite challenging though; this is one of the reasons we developed the KYND Broker Programme, which offers support and tools to help them steer their clients towards a quote at more favourable terms.
Organisations are hearing more and more about the importance of cyber risk management – from brokers and insurers. Why? Staying ahead of cyber risks means that organisations are better protected for one thing, which also makes them a more attractive proposition for insurers in a lot of cases. At the same time, understanding where exactly risks lie means that organisations have a far better time implementing cybersecurity measures. Managing cyber risks should be viewed as the first step in getting “insurance-ready”, and luckily they can get the help they need from KYND too. Cyber risk management keeps businesses protected, and services like ours help organisations of all sizes, even as they’re growing. By keeping on top of vulnerabilities, attacks are less likely to be successful, especially when coupled with the security measures listed above. But don’t just take our word for it! Insurance giants like Beazley have posted about just how successful better risk management is in decreasing attacks. They stated: “Claims experience during the first quarter of 2022 has been better than expected. In particular, we continue to see further improvements in ransomware frequency following continued underwriting actions. The latest data shows frequency reductions since Q4 2020 of 25% per policy, and 65% when premium rate changes are also allowed for.
What’s more, cyber risk doesn’t have to be treated as a one-off exercise, and it benefits organisations if they look at ways to manage risk pre-submission as well as across the entire lifecycle of a policy. Not only does better engagement with risk increase the chance of securing a policy at a better price and with better terms, it ensures good cyber health too, as companies can adopt a proactive stance to keep risk in check. Of course, most companies won’t have the in-house resources to take care of full management themselves, which is why third-party insuretechs are relied on more and more. Our own tools have been created to help organisations gain unique insights into risk with clear and simple reports, plus our own recommendations on what needs to be fixed, and in what order.
More than this though, KYND presents the opportunity (with the right tools) for continual risk management – the benefit of this is that it stops applications and renewals becoming a chore, integrating the process right into the day-to-day management of a policy or before application. An around-the-clock system of alerts and guidance means that any issues can be flagged up instantly and dealt with quickly, so as not to affect either the policy or the opportunity of a successful application. Arguably, more importantly, it also offers a rare example of “peace of mind” in the cyber industry and can be utilised by the entire value chain.
Can I afford fixes after a refused application?
Advising the best way to budget for cyber insurance and how to afford fixes could be an article in its own right! It's a common question that people ask, and organisations are sometimes of the mindset that the associated financial costs required to get up to a standard that's deemed acceptable by an insurer is not worth the value of having an insurance policy. However, we prefer to flip this argument on its head; rather than considering whether or not you can afford the fixes required by your insurer, perhaps you should consider whether you can afford not to. Although points of rejection and their required fixes are important to securing a quote, they also serve to better protect an organisation as a whole.
The further implications of unchecked cyber risk
The growing importance of cyber risk management and cyber security has become a major concern for global companies, particularly as they are the continued target of cyber attacks. For organisations, the idea of one day joining a global supply chain may be part of their growth plan. They’d be shocked to find out they might not be able to do business with larger organisations without having a good level or cyber hygiene that is comparable to the rest of the chain.
Of course, not every organisation is aiming to get involved with a global supply chain. However, every organisation has the responsibility of protecting the data supplied to them by customers and the information they hold relating to employees. If it is the case that a cyber attack such as a data breach or ransomware attack is successfully carried out and data is lost as a result of this, and it is concluded that adequate measures were not in place to stop said attack, an organisation could be found liable and may be forced to pay the rather heavy GDPR (General Data Protection Regulation) fines. The fines for data loss for customers or employees can range anywhere up to around £18 million (€20 million) or 4% of global turnover of an organisation (whichever is higher).
From the above examples, it’s pretty clear that good cyber health through better risk management is more than just a tick-box task for obtaining cyber insurance. More than this, if organisations take a look at the real damage an attack can do, they'll understand that the fixes generally recommended by an insurer are generally in line with the promotion of better protection for businesses. Associated costs of an attack can include the cost of downtime with the added combination of lost earnings and possible payouts. There’s also the fee attached to hiring an external PR company, which is often what’s required when an attack damages a company’s reputation. There’s even the risk of lost industry research and private data which can hinder progress in whichever market a business occupies.
This paints a slightly grim picture, but there’s another thing to consider. Organisations might be closer to these fixes than they think! Take MFA, for example; it might have been implemented across 95% of the relevant log-ins in the network, but the extra 5% that are not covered present a red flag to a lot of insurers and can result in a refusal. Our own tools have actually been designed to segregate risk into three priority categories and where they exist at every point in a network or system. This gives companies the ability to see exactly where the risk lies, how important this risk is, and how they can fix it: all in plain and easy to understand terms.
How can organisations work with brokers/underwriters better?
We champion the idea of open communication between every member of the insurance value chain, and this is incredibly important when we consider first submission or renewal. It can go a long way towards alleviating a lot of the friction that exists within the insurance value chain between insureds, brokers, and underwriters. Organisations should always remain honest about risk and the state of their cyber health (when they know how). Those that don’t disclose potential risk elements put brokers and underwriters in a very difficult position, as they haven’t given them the full picture. At the same time, all they’re doing is hurting themselves. While not disclosing risks might seem like a way to secure a lower quote – in the long run the truth will always come out. An attack that occurs due to an undeclared or uncovered attack vector is rarely viable for a claim. It can also severely limit the chances of renewal in some cases too. For first-time quotes, all organisations are doing is delaying the inevitable, as an underwriter will work hard to gain a full understanding of the cyber risk profile of a potential insured before underwriting any risks.
Similarly, brokers who don't effectively communicate to clients the requirements of an underwriter will find that they are unable to meet the standard that insurers require, which can result in them being denied coverage. Finally, underwriters who don't work with brokers and aren't clear in exactly what they need to be able to underwrite a risk will find more and more applications that don't meet the standard they require. A policy of open communication is important to foster from the moment of first application, and the reason for this is that in being able to communicate risk elements, you give the intended party plenty of time to fix them.
Our pioneering tools and services have been created to make risk easy to understand and manage by everyone. When you consider how much getting cyber coverage has changed in such a short space of time, the process can appear quite daunting. This is where we can help! KYND can quickly analyse a business’ risk with a non-intrusive process that allows immediate insight into vulnerabilities. These vulnerabilities and their suggested fixes are in-line with the requirements of underwriters and even if an organisation has had an application rejected, they’ll be able to see exactly which points need to be addressed.
Continuous risk monitoring offers a pre-submission and in-life solution that is more than just about obtaining cyber coverage. It puts organisations in a position where they can build a better risk posture independently! Our own tools have been designed to offer a round-the-clock solution; risks are highlighted instantly and notifications are sent automatically. Even if an organisation isn’t technical, our non-jargonistic approach means recommended fixes are easy to understand and quick to implement. For insurers, a better commitment to risk engagement across the life of a policy will also greatly improve the chances of a successful renewal.
Our service doesn’t just stop with insureds; in fact, we offer specialised solutions especially for brokers with the aim of helping them guide potential insureds to a quote by reviewing applications and finding areas of improvement, while at the same time building a risk profile of a broker’s client, all of which is reported on and fed directly back to ensure a quicker and simpler process that costs less. For insurers and underwriters, we offer them the ability to view exactly how organisations are coping with cyber risks in the ever-shifting landscape, both pre-submission and in-policy. This ensures that coverage is always up-to-date with the needs of organisations.
All KYND services focus on simplicity. We want everyone to be able to better see, understand, and manage cyber risk. To find out more, please get in touch: firstname.lastname@example.org.
Why proactive cyber risk management is a must-have tool in the MSP arsenal for businesses copy
PRESS RELEASE: KYND recognised as a global Top 100 InsurTech innovator for second year in a row copy