United States: Cyber Insurance Renewals Are Anything But Routine

Originally published by New Hampshire Bar News.

Ten years ago, most businesses did not know that cyber insurance existed. Five years ago, still many had not yet purchased it. Now, every business knows, or should know, that it needs cyber insurance. Risk conscious individuals would never leave their driveways without auto insurance, or operate a professional services firm without malpractice coverage. Likewise, risk conscious businesses cannot operate in a digital world without good cyber insurance.

Similarly, five years ago, cyber insurance was cheap and easy to acquire. Carriers asked few if any questions, and premiums were low and largely dependent on just the size and industry of the business. Two years ago, businesses still could easily renew their existing cyber insurance policies with their existing carriers, without tremendous effort or premium increases. But then, Texas froze, California burned down, cyber-attacks exploded, and the world plummeted into a global health pandemic. Insurance underwriting was flipped upside-down in 2020.

Carriers became desperate to shed risk and increase premiums for all coverages, particularly cyber, in order to offset losses and restore profits. As a result, premium increases of 50% to 200% have become common for cyber renewals, even for security conscious businesses that have never experienced breach. For companies victimized by breach, premium increases of up to 400% are not uncommon, if those businesses can secure coverage at all. Indeed, carriers are simply refusing to renew coverage for breach victims, as well as small businesses with low premiums, leaving them without cyber insurance altogether. Additionally, the policies being offered often trim the coverages provided, such as by significantly increasing deductibles, significantly decreasing sub-limits, and excluding coverage for certain losses entirely.

As if all that were not bad enough, businesses facing a cyber-insurance renewal must now clear another major hurdle, in the form of a detailed application questionnaire. Whereas carriers previously asked few, if any, questions about a business's security preparedness before issuing cyber insurance (admittedly, poor risk management), carriers now have reversed course. These questionnaires include pointed inquiries to assess if a business has implemented very specific cyber security safeguards, such as multi-factor authentication, device and data encryption, virtual private networks, advanced threat detection and prevention applications, elevated privilege controls, duplicative and encrypted backups, and so on and so on.

Even businesses that have previously addressed cyber security can struggle to answer all of these questions in the manner carriers want. And, a failure to do so often results in large premium increases or flat non-renewal. Thus, the consequences of this process can be severe. Two steps are critical to properly prepare to secure cyber insurance or a renewal of it.

First, businesses should start working with their insurance agent and a cyber-security attorney at least six months before the anticipated date for submitting the applications for cyber insurance or a renewal of it. The agent and counsel should review the application questionnaires from the carriers that the business plans to apply to, in order to determine the specific safeguards required by those carriers. Such advance planning is necessary because months are often needed for the business to implement measures that it may be lacking. Additionally, working with a cyber-securing attorney will help ensure that the application is completed appropriately, and that the process is protected by the attorney-client privilege.

Second, if a business has experienced a breach or even just a lesser security incident within the past several years, it will need to work with its insurance agent and a cyber security attorney months in advance of the application process in order to design a strategy to address the breach or incident during that process. Such a strategy will likely include determining which carriers may be willing to consider issuing coverage despite the breach or incident, and the likely premium increase for such insurance. Such a strategy also necessitates ensuring that all actual and potential vulnerabilities that caused or may have caused the breach or incident have been fully remediated, and that the business is able to tangibly demonstrate that it has significantly improved its cyber security safeguards generally after the breach or incident and that it complies with an industry accepted cyber security standard.

Cyber insurance renewals are anything but routine. Businesses that fail to prepare – starting months in advance of that process – are likely to be unhappily surprised by either a staggering premium increase or outright non-renewal.

Cameron Shilling is a shareholder at McLane Middleton, where he is a Director of the Litigation Department & Chair of Cybersecurity and Privacy Group

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.