LONG BEACH, Calif. — Risk managers for public entities should take advantage of the relatively stable cyber insurance market to bolster their security measures, so they’re better prepared to work with insurers when interest rates start to rise again, an expert says.
“You all heard the horror stories in ’22 about 150% premium increases,” said Bryan Hurd, Seattle-based vice president of Aon’s cyber solutions. He spoke during a session Wednesday at the Public Risk Management Association’s annual conference.
“Now the market has actually softened,” he said, with some policyholders seeing renewals at the same rate. But claims are increasing, he said, noting there is a 12- to 18-month lag between claims and tax rates.
“If claims continue to grow, you can believe that the underwriting will be even tighter 12 to 18 months from now,” he said. “You can be 12 to 18 months ahead of that equation.”
Temo Garcia, Chicago-based assistant vice president, Aon cyber solutions, said the first step is to “understand your vulnerabilities, really figure out where you currently stand.”
Mr. Hurd discussed what he has called the “dirty dozen,” the top 12 controls that could have stopped the spread of ransomware and other scams. At the top of the list is multi-factor authentication.
MFA “is like Frank’s RedHot sauce — pour it on everything,” Mr. Hard. If you don’t, “the response from insurers will be ‘Leave your message after the click’ and they’ll hang up.”
Garcia said access control remains the number one factor insurers look for, followed by endpoint security. Business continuity testing and tabletop exercises are also increasingly required by insurance companies, he said.
“How long will it take you to get back up and running” after an incident? he asked, adding that business interruption damage costs are increasing every year.
Endpoint detection, which monitors end-user devices to detect and respond to cyber threats, is also an important factor, Garcia said.
“More and more insurers” want to see 100% of policyholders’ networks covered by endpoint detection tools.