Why cyber insurance companies are requiring businesses to use multi-factor authentication

Canadian cyber insurance companies are now requiring businesses to offer multi-factor authentication (MFA) and have cybercrime/data breach response plans in place before qualifying for coverage.   

Prudent, since cybercrimes and ransomware attacks are on the rise – Canadians have lost $4.9 billion to ransomware attacks in the last year.    

As such, it’s essential to make sure clients are properly covered and have adequate security measures in place. 

Tim Zeilman, vice president and global product owner-cyber at Hartford Steam Boiler, said a good cyber insurance policy should address:  

• How to help businesses respond to a breach of personal information;  
• How to respond to computer attacks and ransomware by restoring systems and recovering assets alongside third-party experts; and   
• Coverage for various kinds of business fraud. 

Data breaches in Canada cost organizations an average of $4.5 million, and surged 10% from the year previous, according to IBM’s Cost of a Data Breach Report 2020.   

“Ransomware continues to be the big thing in terms of the driver of claims, and the things that insurance carriers are really concerned about. It’s just a super successful business model for the cybercriminals,” Zeilman said.    

With cyber claims rising, how would insurers go about bringing them down? Zeilman said traditional underwriting tools have been most effective in controlling losses.  

“Things like requiring more information [when underwriting], becoming more selective about the accounts that they’re willing to write, perhaps not writing certain industries as a way of bringing those loss ratios under control, tightening terms, adding exclusions [and] not offering the kinds of overall limits that they were offering [prior],” have been most effective, Zeilman said.   

Two differing reports show how stark the cyber claims loss ratios have been. The Office of the Superintendent of Financial Institutions (OSFI) reported a loss ratio of 498.9% for the first six months of 2020, whereas MSA Research’s 2020 Q2 Quarterly Outlook Report reported a loss ratio of over 1,100%.  

“When we think about loss ratios that have increased over the last couple of years, we’re almost entirely talking about ransomware,” Zeilman said.   

“In some cases, it’s gone up in a manageable way, gradually over time, and in other cases for other carriers, they saw real spikes and dramatic and damaging spikes and loss ratios, particularly over 2019 and 2020,” he said.   

Throughout 2021, carriers have been putting controls and measures in place to manage loss ratio spikes. “We’ll probably see over the course of this year, how successful they’ve been,” Zeilman said.   

Many are reporting that cybercriminals are attempting to take advantage of the upheaval caused by the COVID-19 pandemic, but Zeilman said ransomware attacks have been rising since before the pandemic and have evolved to become more sophisticated in recent years.    

“There may have been something of an impact of the pandemic and the fact that people are working remotely, perhaps more susceptible to ransomware attacks, because they’re so reliant on their IT systems for remote work,” Zeilman said. “But I think that’s largely been part of an overall trend that we would have seen whether or not we’ve been hit by the pandemic.”   

To mitigate ransomware attacks, insurance carriers should be asking questions related to cybersecurity before taking on prospective client businesses.   

“Credential management, passwords, multi-factor authentication, backups, having online or off-site disconnected backup controls related to email that might prevent phishing,” are components that carriers should be ensuring their clients have in place, Zeilman said.    

When it comes to an acceptable breach plan for clients, Zeilman said a plan alone is not enough, and that it needs to be taken “off the shelf periodically to reassess it to see whether it’s still meets your needs to see whether it’s up to date.”   

He listed three components for clients to address when executing their data-breach plan:   

• Have a detailed plan that establishes third-party breach response providers in advance;  
• Update your plan regularly to respond to current risks; and  
• Practice your response plan regularly in case of a breach.  

A good data breach plan needs to “react to the risks as they exist today, not the risks as they were a year or two ago,” Zeilman said. “The plan itself should be flexible enough to respond to a variety of different kinds of situations.  

“You don’t want to figure out how to fight a fire when the house is burning down. You want to make those decisions ahead of time.”   

Feature image by iStock.com/anyaberkut