Cybersecurity insurance has become an indispensable business expense in recent years, but credit unions may be bumping up against some daunting realities when it’s time to renew, let alone the challenges faced by those seeking a new policy.
The dramatic rise in ransomware attacks has cut into the bottom line of insurance companies, leading to much tighter underwriting standards and other obstacles for any organizations seeking to obtain a policy.
In response to an onslaught of claims and rising losses, insurers have put in place prerequisites for cyber coverage that may not have been required even a few years ago. They want to see evidence of up-to-date system controls that reduce the risk you’ll have a serious attack. Here’s what those defense measures may include:
Those qualifying for a plan will find steep rise in premiums. Over the past year, cybersecurity insurance premiums have spiked 74%, according to recent data by FitchRatings, a higher premium-growth rate than any other insurance product segment. Deductibles have also shot up astronomically, up 10 to 50 times higher than they were a year ago. A typical plan with a deductible of $20,000 last year may now have a deductible of as much as $1 million. These massive increases reflect rising claim volume and the increasing severity of damage caused by cyberattacks.
At the same time, policies have more exclusions than ever. It is not uncommon for policies to include exclusion clauses for acts of war, failure to maintain standards, payment card industry (PCI) fines and assessment, and prior acts.
And as challenging as price hikes are to contend with, some institutions may discover even worse news: They could be suddenly dropped by their carrier upon renewal, especially if they have ever filed a claim.
But the encouraging news for financial institutions, including credit unions, is that they tend to have more robust security programs than many industries because of the highly regulated environment in which they operate. The National Credit Union Administration mandates cybersecurity measures for all federally insured credit unions, which put them in a comparatively strong position about protection from major data and system breaches.
Look for gaps
Potential gaps to be on the lookout for include MFA. Be sure MFA is enabled on all accounts, not just some. It isn’t enough for it to be on just Office 365 for accessing email; it also needs to be in place for setting up VPN for remote access and for access by your IT service providers.
IT teams at credits unions should be proactively looking for unusual network activity and implementing an advanced end-user detection and response (EDR) system to detect and isolate malicious programs and files that may have evaded traditional anti-virus solutions.
White House guidance
Getting a handle on risk has taken on greater urgency lately. U.S. sanctions against Russia in the wake of the Ukraine War have raised the risk of cyber retaliation by Russia, prompting the White House to issue a broad warning about the potential for increased malicious cyberactivity against the U.S and guidance on how to prepare. Although no uptick in attacks by Russia has become apparent so far, critical infrastructure, including financial systems, are deemed to be primary targets for retaliatory attacks.
And it is reasonable to assume that Russia will want to undermine confidence in the U.S. financial systems, making it a priority for credit unions to prepare.
Your own underwriting practices
But it’s not just your own institution’s coverage you need to be concerned with. Cybersecurity insurance is a feature you may want to incorporate into your commercial loan underwriting practice, if you haven’t already. Without cyber insurance, borrowers are now viewed as a higher credit risk. Examine whether your own underwriting standards need tightening to include this requirement for commercial loans sought by your members.
Ask every vendor you deal with what their cybersecurity controls are. They should also carry cyber insurance to ensure that they’ll still be functional after a cyberattack. If a third-party contractor is handling a credit union’s website or providing IT services and they go down in a cyberattack, the effects on your credit union would be immediate, and possibly catastrophic.
How Wipfli can help
Wipfli’s cybersecurity professionals can help your organization stay on top of cyber threats. A strong set of protections will help you meet today’s strict underwriting standards to obtain needed cyber insurance. Our team is equipped with the most credible threat intelligence sources and is aware of rapidly evolving threats. Reach out to learn more, and subscribe to WipfliSecurity Weekly to access curated content by Wipfli's cybersecurity experienced team members. Or continue reading on: