There is currently more interest and demand for cyber insurance by startups and SMEs than ever in the past. Reason being that there is much more in the media about cyber incidents that are not only attacking large companies but also smaller ones. Also on a personal level, we are much more keyed into phishing emails, hacked social media accounts, and even receiving emails first-hand from companies notifying that our own personal data may have been compromised in their cyber incidents.
However, it has gotten much harder in the last few months to even take out a cyber insurance policy. The increase in claims in the last 12 months has meant that insurers have lost money on their cyber insurance books. To ensure they don’t go further into the red, some insurers have had to significantly increase their insurance premiums so much so that it sometimes does not make much sense to buy the insurance. Other insurers have had to pull out completely from selling cyber insurance to certain industries such as fintech, whereas other insurers will limit the number of accounts they take on. They deem the risk of a ransomware attack too high. They would need to sell a lot of policies to pay out potentially millions in claims.
What does this exactly mean for tech startups or SMEs? Can you still get a cyber insurance policy?
Yes, you can but be prepared to put in some work for it. Gone are the days where you can simply declare that you have a few controls in place and get a quote on the spot. Insurers now ask more questions to understand and make sure you have the right controls in place. Not only do they want you to declare that you have the controls, but they also want to see it. It is becoming much more common for insurers to request to have the latest copy of your Vulnerability Assessment and Penetration Testing (VAPT) results and confirmation that all issues have been closed off.
Which industries or types of companies, in particular, are hard hit by insurers?
The seemingly riskier industries are fintech, healthtech, education or anything related to sensitive data. Also, companies that transact completely online are seen as risky. If you are in one of these industries and have not planned a VAPT yet, we would strongly suggest doing so. Not only is it a good idea to have one done so that you understand the key threats to your network and applications, but you will also anyway need one in order to get a cyber insurance policy in place.
Are there any industries that are considered low risk?
Right now, the more traditional brick and mortar, non-tech companies are exempt from the stringent requirements. Let’s say you are an F&B outlet, fitness studio or management consulting company. Chances are you are collecting and processing personally identifiable information of your employees and probably also of your clients. You have a risk of data breaches, but because you are not a fully online or tech company, most insurers would find it easier to underwrite and accept you. This means it will be relatively simple to get a quote on the spot for cyber insurance through Anapi. Provided of course you still have some standard controls in place such as email filtering systems.
How can Anapi help?
If your company falls into the difficult category, we can guide you on exactly what to look out for and make the cyber insurance application as pain-free as possible. We also know which insurers might have the risk appetite for your type of business. And if your company is a less risky traditional business, we can help you get cyber insurance on the spot. Contact [email protected] for more information.