What do you do if your cybersecurity insurance policy is denied?

January 14, 2022
John Bruggeman
Consulting CISO

Over my past three blog posts, I’ve talked about cyber insurance. The first one covered the topics of what it is and do you need it. The second post discussed what you need to have or know before you make the call to your agent to get a quote. My third post examined in detail what type of questions you’ll be asked and who else besides the information technology group has to be involved in order to answer the questions from the insurance carrier.

Insurance companies may choose to not insure you for various reason. Discover those reasons, how to resolve issues, and alternatives to buying cybersecurity insurance.

Now let’s talk about what to do if you can’t buy insurance, either because the premium is too high or no insurance carrier will cover you. Unfortunately, these days insurance carriers are denying coverage more often due to the very high probability that your company will be attacked and compromised. You want to prepare yourself for that possibility.

In this blog, I’ll cover your options if you are denied. Part one will address the reasons why the insurance company won’t cover you and what you can do to fix those issues. The second part will cover what you can do instead.

Why insurance companies won’t cover you

Insurance companies typically deny cyber insurance because they think you are too risky. Just like a 16-year-old who just got their drivers license is very risky for a car insurance company, your company or organization can be viewed as too risky if you don’t have good cybersecurity practices in place.

How to resolve issues

First, you should try to find out why you were denied. It’s likely that the insurance carrier won’t tell you why, you’ll just be denied. To find out, take a look at the questions in  Cyber insurance, part 2: The insurance company questionnaire and also in Cyber Insurance, part 3: Filling out the questionnaire. When you answer the questions in those two blogs, the areas you need to improve will likely stand out.

But what to do?

More often than not, the problem that is preventing you from qualifying for insurance can be resolved by adopting an information security framework like the NIST Cyber Security Framework or CIS Controls. A framework helps you standardize what you are doing to protect your data, assets, and systems from threats. You can adopt either of these frameworks at no cost to you, other than your time and effort.

Something else you can do that doesn’t cost anything other than time but will help improve your security posture is answering these five questions from Justin Hall. After you answer those question you can take these five steps to make your environment safer.

Alternatives to buying cybersecurity insurance

Second, what can you do instead of buying insurance?

Self-Insurance

Something to consider if you can’t buy insurance is establishing “self-insurance” against a ransomware attack or other cyber incident. Your comptroller or CFO might like this idea. If you take the money equivalent to an annual insurance premium and invest that in your information security program, you can make your environment more secure.

Imagine this scenario:

The insurance premium for a small company (100 employees or less) can range anywhere from $15,000 to $25,000 a year for a $1,000,000 policy. Take that money and implement some of the basic security controls in NIST or CIS and you’ve improved your information security program right away. Strategically do that each year for five years and you will then have a much more secure environment that is resistant to cyber attacks.

Incident Response Services

Another option is to purchase incident response services in case you have a cyber incident. In this case you are purchasing re-active services when something bad happens. It’s not as good as preventing the incident, but you get help recovering from the crisis.

Limited Insurance

A third and final option would be to purchase a scaled down or limited form of insurance that will help you with recovery from an incident but not provide the payout of the ransom. The following services are not insurance but are services you should consider purchasing:

  • Awareness and training services for your staff. This can potentially improve your defense against phishing e-mails or business e-mail compromise attacks.
  • Coaching for your executive team on how to handle a data breach or ransomware attack. Not everyone is prepared to respond calmly when a crisis occurs, so coaching can help.
  • Run a ransomware or data breach tabletop-exercise (TTX). This allows your team to walk through the steps of a data breach or ransomware event and experience some of the steps that you will experience in that kind of event.
  • Hire a ransomware negotiator to act on your behalf in case you are attacked. There are professional ransomware negotiators that assist with the price and payment if you choose to pay the threat actor.

These are just a few of the steps you can take in case you can’t purchase cyber insurance at a price you can afford. One other action to consider is partnering with an expert vendor that specializes in information security and helping companies establish and strengthen their cybersecurity programs.  Contact our security team today to get your security program on the road to insurability.

In my next blog, I’ll talk about what we can expect on the cybersecurity front in 2022.

Catch up with these tools for your cybersecurity toolbox from CBTS Consulting CISO John Bruggeman:

Improve your cybersecurity defense with centralized logging

Improve your cybersecurity defense with centralized logging, continued: A deeper dive!

Zero Trust Networks (ZTN): what are they and how do I implement one?

Subscribe to our blog