By: Andy Clemens, CPA, CIA

These days, it’s common for financial institutions to purchase cyber insurance to help mitigate financial losses from network breaches. According to the U.S. Government Accountability Office, the proportion of organizations adding cyber coverage increased from 26% in 2016 to 47% in 2020.

But in the event of a loss, processing such claims can be expensive, and insurers are becoming more selective about the companies they agree to insure and for how much. In response to mounting losses from cybercrime, insurers also are raising premiums.

If your financial institution wants to qualify for or keep cyber insurance at an affordable price, we recommend the following five steps:

1. Spend time with the application: Insurers ask applicants to complete a security questionnaire to help them understand the risks facing the companies. Answering the questionnaire fully and accurately may require input from your institution’s information technology (IT) department and even from third-party technology companies such as your cloud computing provider. Failure to respond to a question may provide sufficient evidence for the insurer to deny coverage.
2. Revisit your security program: The health of your cybersecurity program is a significant factor in qualifying for cyber coverage. Your organization has a better chance of getting coverage if, for example, it can demonstrate its ability to patch software, encrypt data, deploy multifactor authentication, and educate employees about cyber threats. Assess the health of your program and take steps to improve its effectiveness should deficiencies become apparent.
3. Formalize plans and policies: An effective security program depends on robust incident and disaster recovery plans. If your institution has yet to create such plans, do so before applying for cyber insurance. In addition, review and update your security-related policies. Most insurers will ask to see them.
4. Consider a third-party assessment: To uncover weaknesses before they result in a coverage denial, consider engaging a third-party to assess your security program. This can be particularly beneficial if you haven’t yet applied for coverage because some security firms maintain relationships with insurance companies and can help streamline the application process.
5. Prepare to be tested: Some insurers might want to test your institution’s defenses via a penetration test. Before applying for cyber insurance, ready your IT network for a possible ‘attack.’

Even if your institution already has cyber insurance, you may need to fight to keep it. Instead of renewing your policy automatically, your insurer could review your risk characteristics and drop you. With these challenges in mind, be sure to maintain and regularly upgrade your security program.

KPM’s team of financial institution advisors can offer IT audits, vulnerability assessments, and penetration testing to help you find potential threats and qualify/keep your cybersecurity insurance. Contact us today to learn more.