The case for encrypting your clients’ cyber policies

A laptop with a encrypted lock icon on the screen

To balance out loss ratios, cyber insurers have been rolling out new security requirements and best practices for policyholders, and one managing general agent (MGA) says the next logical step for consumer protection is encrypted cyber policies.

If a cybercriminal accessed an insured’s system and noticed the company had a cyber policy that covered more than they intended to demand for a ransom, they’d be able to use that policy as leverage to extort more money from the client, explained Lindsey Nelson, cyber development leader at CFC Underwriting.

But encrypting a cyber policy makes it so that the policy document is unreadable without password access or a decryption key. Only the insured, the broker and the underwriter would know the password.

“Whether you are implementing multi-factor authentication (MFA), or whether you’re encrypting sensitive information, it’s a matter of having overall good hygiene and cyber governance, and this is one of many layers that insurers need to deploy,” Nelson said.

CFC introduced policy encryption for its new and renewing cyber insurance policies, effective Mar. 1.

“The hope is that this will be an industry standard in the future, so we do believe that the market will follow suit,” Nelson said.

Cyber ransom coverage functions comparably to kidnap and ransom policies, said Nelson, “[and] kidnap and ransom policies have always been stored securely and incredibly confidentially, so there was never any reason why we shouldn’t have been treating cyber policies in the exact same way.”

However, this threat has not fully materialized in Canada—mostly because Canadian businesses are underinsured, or not insured at all, for cyber.

See also  Three tornadoes likely hit Quebec, uprooting trees and damaging infrastructure

“Our enhanced security teams strongly believe that it’s not insurance limits that threat actors are after,” Nelson said. “The reason behind that is because so few businesses—particularly so few Canadian businesses—as of today are even buying a cyber insurance policy,” said Nelson. “We estimate it’s under 10% in Canada who actually buy a cyber policy today.”

But the threat landscape moves quickly, she said. “It means that we have to constantly innovate.

“While we know that this isn’t going to be the tool that actually prevents all the cyber-attacks from happening for Canadian businesses, we do know that it’s going to be a helpful next step in preventing a lot of those attacks from happening unnecessarily, simply because [policyholders] store their documents in an insecure format.

“We know insurance policies and the availability of extortion limits are not fuelling cybercrime,” she said. “And while it happens infrequently, it happens enough that we needed to take steps as a market and make sure that we’re providing an extra layer of security for [policyholders] to ensure that their cyber insurance limits don’t get into the hands of cyber criminals and threat actors.”

 

Feature image by iStock.com/bagotaj