Cyberattacks continue to increase, fueled by more sophisticated and persistent attackers. Ransomware attacks alone have increased by a staggering 148% and multimillion-dollar ransom payment demands are no longer a rarity. And unlike in past years where certain industries, such as healthcare, were more likely to be targeted, companies in all sectors are at risk.
As cyberattacks and related claims have skyrocketed, insurers are taking a much more cautious stance — tightening their underwriting controls, carefully scrutinizing all cyber insurance applications, and asking more questions than ever before about applicants’ cyber operating environment.
Even companies with no cyber claims history face an arduous renewal process. And those that do not satisfy insurers’ expectations are often facing the prospect of non-renewal or are unable to get their preferred coverage, with limitations becoming more common especially in relation to ransomware.
Insurers are greatly focusing on the controls organizations have in place to become cyber resilient. While these controls have been established best practices for several years, some organizations are still struggling to adopt them — most often because they have not been able to justify the cost or did not understand or see the need for controls. Although cyber resilience controls were previously required in regulated industries, they were often more about checking a box than enhancing security.
But with their insurability — and potentially also their financial stability — at stake, organizations across the board need to make a concerted effort to adopt controls that mitigate ransomware risks and improve their cybersecurity posture and resilience.
There are 12 main areas that organizations should focus on (see figure above). However, as a starting point, they should prioritize the following five cyber hygiene controls to have the most impact on insurability, mitigation, and resilience:
In a more difficult insurance market, having the necessary controls in place can help you achieve your risk transfer goals. And, the right cyber hygiene controls will provide organizations with a higher level of security, a better ability to identify threats, and ideally allow you to recover more quickly from an attack.
For more information, contact your Marsh representative.