After years of taking a bath on payouts, cyber insurance companies are taking a page from the Vegas playbook. Insurers are mandating that businesses, like your RIA firm, have certain cybersecurity precautions in place, otherwise, they won’t offer you coverage.
It’s easy to see why the change is happening. For years, cyber insurance was the best deal in town. In exchange for a few thousand dollars, your insurance company agreed to be on the hook for hundreds of thousands of dollars – if not more.
It worked out for everyone when threats were relatively rare or laughably easy to spot. Then attacks surged, and insurers started losing money.
How Cyber Insurance Companies are Tilting the Odds in Their Favor
Insurers, like Vegas casinos, can’t run a profitable business if they’re constantly making payouts that are 7 figures or higher. Still, you’ll be forgiven for lacking empathy if you get one of these notices.
“You’re denied and we’re not renewing you.”
A client recently came to us and said their insurer bluntly refused to renew their cyber policy. Our client had not done anything wrong or suffered a breach.
The “no” starting point is because cyber insurance providers are trapped in an unsustainable business model. To escape, they’re forcing their customers to mitigate cyber risks.
“Full coverage doesn’t kick in until you do X, Y, Z”
Other RIAs come to us because their insurer gave them a cybersecurity to-do list. It’s often a high-priority project because failure to meet the requirements can be costly.
Until you complete the to-do list, your deductible doubles and you’re responsible for half of what the insurance company pays out if a breach occurs.
Once you cross off each item, your deductible returns to normal levels and the insurance company covers 100% of the costs. The requirements are whichever cybersecurity best practices the insurer deems most important. Multifactor authentication on all accounts is a popular condition.
You’re 40% Protected Against Cyberattacks
How RIAs can Regain the Upper Hand
In Vegas, you’re stuck hoping you hit a lucky streak. With cyber insurance, you can stay one step ahead of the insurance companies. Follow the advice below to make it easier to get, and keep, cyber coverage.
Find an IT provider with proactive cybersecurity services
That to-do list we mentioned above will be a breeze for any RIA with a proactive, cybersecurity-minded IT partner. Our clients are ahead of the curve because we pay close attention to cyber trends and the most effective, innovative solutions.
Multifactor authentication is one example. We started recommending it to clients years ago. Now, when their insurers require it, our clients don’t have to take any additional steps to get coverage.
Work with a provider who knows your industry
Cyber insurance mandates add yet another layer of requirements to regulated industries like financial services. When it comes to technology-related points, you don’t want to detangle the web on your own.
An IT provider with strong knowledge of the cyber landscape and your legal requirements is essential. They’ll help you hit the sweet spot with cybersecurity services that protect your firm, meet IT-related compliance and satisfy your cyber insurer’s to-do list.
(P.S. if you’re curious about our tech-finance credentials, read this.)
5 essentials every cyber policy should have
Every insurance company writes policies differently. As we advise RIAs on what to look for, we always recommend the following 5 services are covered.
1. Notification assistance
It sounds formulaic when you get a letter that says your data may have been included in a breach so you’re getting 1 year of free credit monitoring services.
While there is a standard playbook, getting the message out, telling the right people and providing the necessary post-breach services will upend your business if you try to do it on your own. You want your coverage to pay for someone to sort out the patchwork of disclosure requirements and send the notices for you.
2. Legal counsel
Odds are that any attorney you’re working with right now does not have extensive cyber breach experience. So, you’ll want your policy to cover legal counsel. The specialist will help with the patchwork of disclosure requirements we described above. They’ll also keep the incident out of the public eye until you’re ready to disclose it.
If your lawyer is on all calls while the incident is in progress, you and your company will be protected by attorney-client privilege. This helps you control the narrative, especially early on when you don’t have concrete answers about the scope of the attack.
3. Help with recovering your losses
No one is going to feel sympathy for you or step in and give you money if you lose it all at the gambling table. How much assistance you get from your insurance company depends on the payout limits. This could be an annual amount or a per-incident maximum.
Read this section carefully and select a policy with a payout you’re comfortable with.
4. Forensic investigation
To resecure your business, you need to figure out how the bad guys got into your systems. Only then can you fully eradicate the threat from your systems and put safeguards in place to prevent future breaches.
- How the bad guys got in
- If you’ve really kicked the threat actors out of your systems
5. Public relations professionals
All breaches eventually become public knowledge and the reputational damage can be staggering. You need to rebuild trust with clients and communicate to the public with one cohesive narrative. If the press reaches out, you want a point person who will tactfully handle all inquiries. This is best managed with the help of public relations experts.
Don’t Bet the House With Inadequate Coverage
Before you write off having a policy or dismiss the requirements insurance companies are handing down as irrelevant, ask yourself these questions:
- Why is the insurer making these protections a condition of coverage?
- Why are they walking away from taking my money?
- Should I really be taking on a risk an insurance company isn’t willing to swallow?
Cybersecurity services stack the cards in your favor
When we evaluate policies with RIAs, we help them make fully informed decisions. We walk through real-world scenarios to say, “if this happens, here’s what you’ll have to pay out.” Our RIA clients end up with cyber services and policies that:
- Minimize threats to their business
- Keep clients safe
- Provide assistance if an incident occurs
Our expert IT consultants are here to help you, too. Call us today and we’ll help you understand the latest trends in cybercrime, your risk exposure and how to protect your firm with strong cybersecurity services and insurance.