Cyber Insurance Companies Tighten Their Payout Policies
While cyber insurance is only one part of a comprehensive cybersecurity strategy, K–12 IT professionals are finding it harder to retain this component.
“The cyber insurance market has been on a roller coaster, with skyrocketing premiums, changes in coverage, and a demand for policies that outweighs available supply,” notes Heidi Shey, principal analyst at Forrester, in a company blog post.
“After years of affordable and readily available policies, the ubiquity of cyber insurance combined with the rise in cyberattacks has changed the power dynamic in favor of the insurers.”
Jason Cray, technical owner of the data protection and information management practice at CDW, has picked up on similar shifts in the cyber insurance market.
Cray and Tony Roberts, senior solutions engineer at CDW, both have noticed new limitations on cyber insurance policies during their work with CDW customers. “The insurance premiums are just going through the roof, if you can even get them,” Roberts says. Plus, “insurance companies now are defining in their contracts that they’re not going to cover an attack if it comes from a specific nation-state.”
Cray notes that paperwork from insurance companies is becoming more arduous. Insurance applications used to include 20 to 30 questions, Cray says, but those forms routinely include over 400 questions worded in confusing ways that make them nearly impossible for applicants to answer.
“Now, our main application is five pages long, and then, when you go back to the supplemental, it’s five more pages,” Kristen Landis, technology director at North Penn School District in Pennsylvania, said at ISTELive 23. “There’s a lot of detailed information they’re asking about.”
Regarding questions about an organization’s immutable storage, Cray says applicants might wonder, “’Do I answer yes? My answer is yes.’ And then the insurer comes in and says, ‘Well, no, you didn’t have it across your entire environment, so we’re not going to pay.’”
Of course, if applicants answer no to the question, their rates will certainly go up — if the insurance company doesn’t completely refuse to insure them. “And that’s the reality of what clients are facing today.” “It’s getting super difficult to get it, to maintain it and then to adhere to it,” Roberts says of cyber insurance.
Even when trying diligently to comply with the terms of a policy, organizations run the risk of an insurance company picking apart a policy and ultimately saying, “‘Well, you weren’t doing this one thing, so we’re not going to pay out.’ And I think schools have to take a look at that from a risk perspective.”
Warranties and Self-Insurance Give Schools More Security
Cyber insurance has become a growing trend in K–12 IT circles. And while it can help defray the costs of a ransomware attack, it can also be a beacon to cybercriminals, indicating a willingness to pay a ransom if necessary.
Although many schools don’t have the budget to self-insure, there are still ways to reduce the cost of cyber insurance premiums. “I wish there was more money being spent on preventing an incident and figuring out how to respond to it,” said Doug Levin, director of the K12 Information Security eXchange, at ISTELive 23.
“Insurance is important, but it's overplayed. School leaders view the insurance as the solution to the problem as opposed to being the backstop.”
Roberts notes that some third-party security providers, such as Rubrik, offer warranties that insurance companies recognize as extra assurance of an organization’s data protection strategy.
“The key to it is that you have to qualify for their ransomware warranty,” Cray says. “When you sign up for their premium support, that means they have somebody who’s actively monitoring your environment to make certain you’re following all of the best practices, even when they are updated.”
The warranty gives an insurance company greater confidence, and it may be willing to offer a cyber insurance policy at a lower rate. If schools can self-insure, they may want to consider it as a way to protect themselves in the event of a ransomware attack.
“Self-insurance basically becomes a line item in the budget,” Cray says. “They budget and say, ‘We already pay X amount on premiums to an insurance company to have insurance.
Instead of doing that, we’re going to take that money, budget it and essentially put it into a savings account that is overseen by a third party.’”