Back to Blog Home

Cybersecurity insurance, part 4: What happens if your company is denied cyber insurance coverage

Throughout this series, we have reviewed the steps to secure cyber insurance coverage. Part 1 is an overview of the critical concepts of cyber insurance and why your business needs it; part 2 outlines the insurance application questionnaire, and part 3 reviews strategies to answer the questionnaire and how to get the lowest quote possible.

But how should you respond if your company cannot purchase cyber insurance coverage? Your company might be unable to afford the premium, or you might be denied outright by the insurance provider. Policy requests are often rejected because of the risk that your business will be hit with a successful ransomware attack at some point. Your stakeholders should be prepared for the possibility that your policy request could be denied.

In this blog, we will discuss strategies to consider if you are denied coverage, common reasons an insurance provider might deny coverage, and several alternatives to cyber insurance.

Common reasons insurance providers deny policies

With insurance, it all comes down to risk. An insurance company will deny a policy if they deem the risk too high. Just as a teenager with a new driver’s license pays a higher premium, your company will also pay more for insurance if your organization does not implement mature cybersecurity protocols.

Determining risk

The first step is understanding why your policy request was denied or your premium is unaffordable. It is unlikely that the insurance company will give you this information, though it does not hurt to ask your agent. Next, to determine areas of high risk, review the information you provided about your current cybersecurity program. Review the questions and your answers to determine where the gap in security protections may be.

Filling security gaps

In most cases, you can address your cybersecurity issues by implementing high-quality information security controls, like those found in the NIST Cybersecurity Framework or CIS Controls. Adopting a security framework streamlines cybersecurity efforts and focuses your effort and the safeguards you deploy on sensitive data, networks, and systems. In addition, these two frameworks are free to implement.

Another free resource you can take advantage of is this list of five action steps from Justin Hall. After deploying a new security framework and taking the above steps, your company is more likely to qualify for affordable cyber insurance coverage.

But what if the premium is still too high or you are still denied?

Alternatives to cyber insurance coverage

Even if you are unable to afford cyber insurance, there are still plenty of options for companies looking to secure their data.

Self-funded “insurance”

The concept of “self-insuring” is simple. You invest the money you would have spent on an insurance premium into your cybersecurity program.

For example, an insurance premium for a smaller company—100 employees and under—ranges between $15K and $25K per year on a $1 million policy. Allocate those funds toward cybersecurity initiatives such as deploying the NIST or CIS framework. The ROI is almost immediate. By systematically investing in developing your information security program over time, your business will be much less vulnerable to data breaches. In addition, you may be able to re-apply for cyber insurance after implementing the recommended controls.

Cyberattack response services

Another good tactic is to buy cyberattack response services. These services give your organization guidance in the event of an attack to help your business recover. Ideally, you want to prevent the attack in the first place. But having an experienced professional in your corner as a coach can lower the downtime and possibly limit the damage.

Limited insurance coverage and other strategies

Another option is to opt for reduced cyber insurance coverage. Many insurance providers offer incident response and recovery plans without ransomware payments or other financial compensation in the case of ransom demand or litigation costs. While not ideal, this at least provides some assistance in case of a disaster and helps you be prepared.

Some additional strategies that are not insurance but are well worth consideration:

  • Cyber awareness education. Your employees can help defend against social engineering schemes by building a cybersecurity awareness culture.
  • Crisis management coaching for leadership. Professional response coaching will allow your executive team to stay calm and effective in the event of a breach.
  • Ransomware simulations. A tabletop exercise goes step by step through an imaginary cyberattack. Your team can identify gaps in the incident response plan, learn valuable lessons, and improve their responses.
  • Work with a professional negotiator. If targeted by ransomware, a professional negotiator guides your company through the options, including whether to pay the ransom and potentially negotiate a lower ransom.

Work with a security expert

Taking the steps we discussed will make your business more insurable and digitally secure. One final step to consider is partnering with a security expert to implement or strengthen information security frameworks. Get in touch to learn how we can aid your business on the road to a more secure digital presence.

More from this blog series:

  1. Part 1: What is Cyber Insurance and do I need it?
  2. Part 2: Preparing for insurance company questionnaires
  3. Part 3: Completing the risk and liability questionnaire