Match Your Cybersecurity and Coverage to Your Unique Exposures

OCTOBER 4, 2022

With daily news reports about cyberattacks, organizations today accept cyber incidents as a fact of life. Some organizations attempt to prevent them and retain the risks, while others transfer these exposures with insurance. The latter approach requires a thorough assessment of the organization’s information technology (IT) risks and non-IT risks from a cyber insurance expert. Having this assessment done is imperative to understanding and negotiating for the coverage you actually need.

Some industries have more difficulty tightening cyber loss controls than others. Click on the following sections to read about the impact of cyberthreats on four industries: healthcare, construction, manufacturing and distribution, and real estate. (All organizations can access important data and insights on cybersecurity and coverage best practices in USI’s 2022 Commercial Property & Casualty Market Outlook Mid-Year Addendum.)

Real Estate

For all industries, underwriters are taking a more thorough and technical look at each organization’s cyber exposures and loss controls. Insurers expect not only base-level information security controls — they expect these and other controls to be fully implemented against an insured’s entire enterprise. Base-level controls include multifactor authentication, endpoint detection and response, backup security, network segmentation, and the existence of a security operations center (SOC) to monitor logs. Insurers are now also requiring:  

  • Utilization of common vulnerabilities and exposures (CVE) threat-hunting teams to monitor and respond to common vulnerability exploits
  • Constant review of domain administrator accounts
  • Vigilant assessment of services accounts
  • Deployment of managed detection and response to not only monitor logs but act on them

Insureds that do not adhere to base-level information security controls will likely experience higher premiums, restricted coverage, reduced insurance capacity, or higher self-insured risk (SIR) — assuming insurance carriers are willing to take on the risk. Even organizations with average risk profiles may face higher premiums and restrictions to retentions and policies.

Insurers are looking for organizations to deploy enhanced phishing controls and, most critically, would like clients to actively reduce their data footprint. Organizations should inventory the data they absolutely need and remove the data they don’t. Understanding the risks is the first step to improving cybersecurity and presenting the best possible risk profile to underwriters.

Contact your USI representative or email to learn more about the solutions designed to mitigate risk and protect your organization in the event of a cyber incident.