Insurance Companies are now driving cybersecurity regulations and policies for businesses.

- by Jennifer Gilligan

Government cyber regulations have been slow to be implemented due to bureaucracy, lack of knowledge and lobbyist interests. There has also been a reluctance for many IT Service Providers to agree on ‘best practices, processes and policies’ with a lot of difference of opinion of what is ENOUGH/THE BEST cyber threat/tool coverage for their clients. To further muddy the waters – the tool providers themselves used by IT Services Providers often disagree on what constitutes adequate security coverage and believe ‘they’ are the best and should be the standard.

All of this divisive back and forth has created a vacuum that Insurance Carriers have felt obligated to step into. Seeing as insurance companies absorbed the brunt of cyber threats over the last several years; they are now driving security polices and working with lobbyists to regulate the industry to mitigate further risk. This has pushed cyber security to the forefront of not only their own businesses but to the front of the line for IT Service Providers and their clients as well.

According the Cyber Insurance Risks and Trends 2025 published by Munich RE in early April; there are 4 main ‘Hot Spots’ that are major loss drivers within the overall cyber threat landscape. The top of the pile being  Ransomware (most costly), Scams/Business Communication Compromise (most prolific), Supply Chain Attacks (Achilles heel) and Data Breaches.

Coalition’s findings are that although the frequency of Ransomware has decreased; the severity of claims increased 14% with the average loss amount being $122,000 per incident. While business email compromise (BEC) was nearly 1/3rd of the claims made.

Ransomware is at the top of the list and one of the most painful for Insurance companies (and businesses in general) due the concerted effort of Cybercrime-as-a-Service which is being further enhanced by the huge growth of and adoption of AI-enabled hacking tools. With the low cost, high reward potentials for ransomware – coupled with the ability to further hone attacks using AI – there will be a continued uptick in this activity. According to the Munich Cyber Data Analytics Team – Ransomware was the leading cause of cyber insurance loss with the highest ‘loser’ being Manufacturing followed by Healthcare.

 

So WHY does this all matter?

Insurance companies don’t like to lose money. They don’t like paying out claims and they do NOT like to absorb the risks of their clients. So what are they doing to mitigate their risks? They are becoming much more stringent in the qualifications to receive cyber insurance as well as what they will pay out for claim wise. They have also seen a great opportunity to start to work together with Managed Security Service Providers (MSSP) to offer ‘their’ products and services to cover their clients. Sounds great in theory -but not always great in practice.

These agreements tie their insurance clients to particular products/providers to be insured and often the services being provided are not aligned with the business in need of cyber insurance coverage and also ties their hands as to who they are allowed to work with to get insurance.

It’s a huge win for Insurance Companies as well as the MSSP’s they work with – but not for their clients. MSSP’s will provide security products, yes – but often do not support the day-to-day IT support needs that clients need. This then forces their clients into having two service providers vs one that does it all for them.

 

Again – why does this matter? Isn’t it a no-brainer to just do what the insurance company wants to ensure you are covered for cyber insurance?

Not necessarily. Again – they are doing this to cover themselves – not you – the client. It’s also a boon for the MSSP – but they have to answer to investors and the insurance company. Again – you are not the main focus.

 

So how is this driving policy/regulation going forward?

IT Service Providers actually DO care a whole lot about their clients. They are just as frustrated with the lack of regulation and oversight – so they are educating themselves on all things cyber security as well as aligning themselves with what they believe are the best tools/partners to help protect their clients. They are filling out the paperwork for their clients to help them get cyber insurance coverage. They are fortifying their toolsets, training their teams, and investing in services to help harden security protocols. While the government or ruling bodies may be slow to adopt regulations – insurance companies are forcing ALL IT Providers in some capacity to adopt cyber security protocols to ensure that their clients are insurable.

 

What are my other options?

One extra step some IT providers are taking in regards to cyber security and insurance  – is finding and working with Insurance Companies that are ‘agnostic’ to  IT providers/tool sets/policies – but still VET the security tools/policies the IT Provider uses and then assigns a ‘risk’ to the IT Provider and how ‘worthy’ they are to be insured.

These IT Providers can then have their clients who they provide full support to – use the same insurance company (if they choose to) and know that the IT provider is already fully vetted and insured. The great thing about this model is that as long as the IT provider can attest that their clients are using the security protocols that have been already vetted – they can be insured and everyone is covered.

 

 So, the IT Provider is working with an Insurance Company – which says I have to use their tools – so how is that different?

The difference is that You, the client, were already using those tools with your current IT provider. You are not forced to change the tools your company is used to/what works for you – to be insurable. It allows your IT provider to understand the nuances of your business and what it needs to have ‘enough’ security to be secure – but not so locked down that your daily work is impeded.

Cyber insurance is 100% necessary today – and the bad actors are not taking their foot off of the gas in trying to get to YOUR money. What IS changing is how insurance companies are deciding who is ‘insurable’ and who is not. The cyber threat landscape IS changing. Insurance IS changing. Your IT Provider IS changing – and so are you, whether you like it or not. Cyber security is now the #1 threat for businesses.

We not only see the importance and necessity of having cyber insurance – we do all we can to ensure our clients have it. IntegraMSP believes passionately in cyber insurance and we have seen how important it can be for our clients. We work in tandem with a Lloyd’s of London syndicated insurance company that provides policies to IT providers like us. They have vetted us and our toolsets and have deemed us ‘insurable and trustworthy’. Our clients that are also insured through our insurer receive many benefits as well as painless cyber insurance coverage.

 

If you would like to have a conversation about cyber insurance, cyber security or even have us come out and take a look at how ‘secure your network’  is – we would love to have a conversation. Cyber insurance coverage does not have to be painful.

 

Fast Facts:

  • 98% of cyber claims were turned in from small to medium-sized businesses
  • The average cost of a Business Email Compromise (BEC) claim skyrocketed 220%
  • Ransomware remains a dominant and costly cyber threat for companies. Ransomware accounts for 64% of all cyber claims
  • The average Business Interruption cost for a Cyber incident was $1.3M.