Companies seeking cyber coverage must meet an increasing number of underwriting requirements to place a policy with appropriate terms and conditions and at a reasonable premium. These requirements reflect the significant increase in cybersecurity risks in recent years, such as the ransomware crisis.
Cybercrime is big business. In 2023, global cybercrime is expected to inflict damages of $8 trillion, making the industry more profitable than the entire global illegal drug trade. The United Kingdom takes the unfortunate award for having the highest number of cybercrime victims per million internet users, with the United States next in line.
As cybercrime increases, so too does the need for cyber insurance. The increased risk and severity of cyberattacks has led more organizations to opt to place cyber coverage – up from 26% in 2016 to 47% in 2020. But opting to buy cyber coverage is not that simple. Insurers require policyholders seeking cyber coverage to disclose a large amount of information in the application process, and any misrepresentations in the application process – even if unintentional – may have severe consequences for the insured, depending on the nature of the misrepresentation and applicable law.
The application and underwriting process can be lengthy and is a team effort
Organizations seeking cyber coverage should be prepared to engage in a lengthy, highly detailed application process. The risks are quickly evolving, and insurers have adapted by asking large numbers of questions to attempt to evaluate and price the risk.
To start with, insurers have been increasingly engaged in heightened underwriting practices. No one person in any organization is likely to be able to provide all the information necessary to complete an application for cyber coverage. Accurately completing an application is likely to require input from an organization’s information security, risk management, finance, operations, legal, marketing and human resources departments.
In addition to the lengthy general application for cyber coverage, certain insurers may have specific applications for companies operating in specific industries, particularly those that are considered “attractive targets” for cybercrime, such as infrastructure, law firms, health care providers and financial institutions. These industries generally hold very valuable data, which makes them more likely to be targeted for ransomware and other types of cyberattacks. Then, if an insured seeks additional coverage or features that may be offered by the insurer, it may need to complete supplemental questionnaires and addendums, all of which likewise seek detailed information, require input from multiple stakeholders and take significant time to complete.
This process should begin well in advance of the anticipated policy inception or renewal date, and all departments must work collaboratively to obtain accurate and detailed information in response to the insurer’s requests to secure the best available policy.
- Organizations must meet increasing underwriting requirements to obtain cyber coverage.
- The application process for cyber coverage can be detailed and lengthy.
- Cyber insurance application materials are likely to be highly scrutinized after a cyber loss or claim.