What Happens When You Lose Your Cyber Insurance?

In a world where a cybersecurity incident is considered a “when, not if” scenario, having insurance coverage can be an important way to reduce financial risk. More companies are investing in cyber insurance policies; direct written premiums increased 51% year-over-year in 2022, according to Fitch Ratings.

But it is important for enterprise leadership to recognize that it is possible to lose that coverage, leaving their companies vulnerable to the entire financial burden of a data breach or cyberattack. Why could a company lose its cyber policy, and how can it approach getting new coverage?

Why You Might Lose Coverage

Failing to pay the premiums is the most obvious and easily avoidable reason that companies will find themselves without cyber insurance coverage. Premiums are steadily increasing as the threat landscape continues to grow, but nonpayment will result in your carrier dropping you.

But simply paying the bill might not be enough to ensure coverage remains in place. When it comes time to review the policy, an insurance company may opt for nonrenewal. That nonrenewal decision can be based on different factors.

Claims activity during the policy period, for example, will be a consideration. “When a large claim happens, what you'll see in the industry is the cyber insurer will reevaluate the security of the organization,” explains Monica Shokrai, head of business risk and insurance at Google Cloud.

Related:How to Get the Best Cyber-Insurance Deal

Even the most well-prepared organizations can fall prey to cyber attackers, but some organizations are vulnerable due to lack of proper controls. “Was the claim brought about by some entrenched structural, systemic problem with the company’s cybersecurity that may make them undesirable or uninsurable?” asks Avery Dial, partner at Kaufman Dolowich and chair of the law firm’s data privacy practice group.

If the answer to that question is “yes,” companies could face more expensive premiums or nonrenewal.

Companies may even lose their coverage before the policy period is up if the insurer determines it misrepresented its cybersecurity posture in its application. When a cybersecurity incident occurs, a forensic investigation will most likely be conducted. “Those forensic reports sometimes reveal that things were not as they were represented, at least in the insurer’s view. And the insurer will then seek to rescind the policy,” Andy Moss, a member of Reed Smith’s insurance recovery group in the law firm’s litigation department, tells InformationWeek.

Whether or not an insurer will be able to rescind the policy before the end of the coverage period will depend on the policy language and state law.

Related:Is Your Cyber Insurance Policy Up to Snuff?

Some companies may be dropped for an insurance carrier not because of claims activity or a less than desirable cybersecurity posture.

“The other had to reason that we're seeing that clients are being non renewed is really out of their control, and that is a change in the carriers’ appetite,” says Marvin Cigarroa, senior director of insurance at DataStream Cyber Insurance. “They've decided that they no longer want to write certain industry classes, certain revenue sizes.”

The Risks of Insurance Loss

If there has been outright fraud or misrepresentation on the application, the loss of coverage could be sudden. In most cases, companies will not find themselves unexpectedly without insurance. “You're going to have notice, whether that's 60 to 90 days out,” says Cigarroa.

Even with notice, organizations will be working against the clock. Can they get new coverage in time to avoid a gap? If an enterprise does experience a gap in coverage, any costs associated with a data breach or cyberattack that occurs during that period will not be offset by insurance.

The prospect of getting new coverage also means that companies will have a new retroactive date for coverage. If an incident that dates back months or even years is uncovered, the new policy is very unlikely to cover it.

Related:5 Pitfalls and Possibilities AI Brings to Cyber Insurance

“You are not going to be able to go back and cover things that happened under the prior insurance or especially during that window of time between when the last policy was cancelled or lapsed to when the new policy is placed,” says Moss.

Companies may find themselves caught in the middle when they switch insurance companies. Incidents may have occurred in a prior policy period but have losses that extend into the new policy period. “Those insurers might point fingers at each other as to who's responsible,” says Moss.

A gap in insurance can also jeopardize a company’s relationship with its customers. Many vendors require their partners to carry cyber insurance. “If a company's losing [its] cyber insurance, they need to reevaluate their contracts and make sure that they can meet those contractual obligations,” says Shokrai.

Getting New Coverage

Depending on the reasons for nonrenewal, a company may have the option of approaching their current insurance carrier about the possibility of remaining a customer. For example, a company facing nonrenewal because of its lack of cybersecurity controls could put in the work to implement an improved strategy.

“There really isn't anything preventing you or your broker from going to that carrier despite the nonrenewal notice: presenting an application, presenting these improved controls,” says Cigarroa.

If a company can no longer work with its current carrier, it is time to go out to the market.

“I would go to an insurance broker that worked with several different carriers and have that broker shop the risk to multiple carriers,” says Dial.

Some insurance companies work faster than others, but leadership can typically expect it to take some time to receive and then compare multiple quotes.

“I would say that's going to probably be anywhere from one to four weeks ... in terms of being able to secure a quote,” says Cigarroa.

When you apply for new insurance, you will likely be required to disclose information about your previous coverage. Potential new insurers may also request a loss run. “It's basically a claims report that shows how many claims you've had in the past few years. What were the total amounts paid on that claim?” Cigarroa explains. That information could impact an insurer’s risk assessment and resultant quote for a potential new customer.

If your company has been dropped by an insurance carrier, that is likely to make the underwriting process for a new policy longer and premiums more expensive.

“I would shop, but I would also prepare to have less coverage, poorer terms, and higher premiums,” says Ty Greenhalgh, industry principal of healthcare at Medigate by Claroty, a healthcare cybersecurity platform.

Companies may need to consider self-insurance if they cannot obtain adequate coverage for their potential losses, Greenhalgh adds.

Companies looking to apply for new coverage can make that process easier, and potentially less expensive, by taking demonstrable steps to improve their cybersecurity posture.

“Here's what happened, here are the steps that we've taken since then in order to make ourselves a better risk going forward. And that is worth a lot,” says Cigarroa. “That's really what's going to give the new insurance company a lot more comfort in terms of quoting and [underwriting] that risk.”

Preventing the Loss of Coverage

Denial of coverage has been cause for legal battles. Pharmaceutical company Merck sued its insurers over denied coverage of a NotPetya cyberattack that occurred in 2017, Fierce Pharma reports. The insurers may be responsible for $1.4 billion per payout.

But do companies have legal recourse if their insurers drop them? The answer to that question can be tricky. If the insurer did not follow its obligations for the nonrenewal under state law, there may be cause for legal challenge.

Avoiding the loss of coverage, and even the question of whether a legal battle is worth pursuing, is the best scenario for most companies. What can enterprise leaders do to maintain their companies’ cyber insurance?

Ensuring that a strong cybersecurity strategy is in place goes a long way. Look at industry standards for network security, device management, and vulnerability management. Are there gaps in your organization’s cybersecurity posture? How can those gaps be closed?

“The insured client needs to make sure that they have their cyber controls in place to make them less risky, and therefore, they want to make sure that they have MFA and EDR or whatever parameter the insurance company asked them to put into place prior to execution of the policy,” says Dara Gibson, senior cyber insurance manager at cybersecurity advisory and solutions company Optiv.

Transparency is also important to maintaining a relationship with a cyber insurer. “If you're not thorough and honest in the application, then you're not going to be able to have that kind of dialogue with the insurer where they can instruct you as to what you need to be doing to remain insurable with them,” says Dial.