A MoFo Privacy Minute Q&A (14 April 2021)

This is A MoFo Privacy Minute, where we will answer the questions our clients are asking us in sixty seconds or less.

Question: Our cyber insurance broker is bracing its clients for a tough cyber insurance renewal this year. Is there anything we can do to help make things go more smoothly?

Answer:  We are hearing it too. Cybersecurity insurance professionals predict that renewing cybersecurity insurance policies, and buying new policies, will be extra tough in 2021. This is because of a wave of expensive ransomware attacks that shook the industry in 2020, and the onslaught of supply chain cyber attacks that are expected to impact businesses of all kinds in 2021.

Ransomware attacks have evolved, with the amount of money demanded increasing, and attackers sometimes exfiltrating copies of files in addition to encrypting systems. They threaten to leak data to the public, and sometimes do so, if they do not receive the money they are seeking to extort. In the face of this threat, even if you have a back-up of the data and can deal with the business interruption, there is still an incentive to pay the ransom. 

Meanwhile, supply chain attacks have become prevalent, affecting essentially any kind of business, by injecting a backdoor into legitimate software updates. We have seen three major supply chain attack vulnerabilities reported just in the last few months.

We expect cyber insurance carriers to bolster the diligence they perform on insureds at renewal time, and when companies seek to purchase new cyber insurance. We also expect that premiums will increase and some insureds will not be allowed to renew. 

To help make the cyber insurance underwriting process run as smoothly as possible, we suggest that our clients take a multidisciplinary approach when completing cybersecurity underwriting diligence questionnaires. After responses to the questions are prepared by the information security professionals, they should be tailored by incident responders who have handled actual ransomware and supply chain attacks, and learned from experience what can be done, in advance of and in light of an attack, to reduce downside and cost. After all, that is just what the carriers are looking for.

We are working with our clients on their responses to underwriting diligence questionnaires, suggesting improvements that can be made to their cybersecurity programs, and helping fill gaps in their programs that would otherwise weaken their responses to underwriting diligence questions.

Visit our Privacy + Data Security page for additional information from our privacy library and resource centers on cybersecurity, state privacy laws, and the GDPR.