What's Changing in the Cybersecurity Insurance Market
Your insurance broker calls to renew your professional indemnity cover, and somewhere in the paperwork is a new question about cybersecurity. Do you have multi-factor authentication enabled? Do you have a documented backup and recovery plan? A year ago, nobody asked. Now it's on the form, and the wrong answer could cost you.
Cybersecurity insurance has changed significantly in a short period. Premiums are rising, some coverages are being quietly dropped, and qualifying for a policy is harder than it used to be. Insurers have paid out heavily on ransomware claims and data breaches, and they are adjusting. Nation-state attacks - where the source is a foreign government or a hacking group with government ties - are being excluded from some policies entirely. Ransomware payouts are disappearing from others. If your policy renews this year, it is worth reading what you are actually covered for, not just assuming it is the same as last year.
The qualification process has also tightened. Insurers now ask detailed questions about how you manage access to your systems, whether staff have received security training most NZ businesses overlook, how you handle devices that connect to your network, and what your backup situation looks like. These are not tick-box questions. Answering them poorly - or inaccurately - can mean higher premiums or a declined application. About 60% of small businesses that experience a serious cyber incident do not recover. Insurers know this, and they are being careful about who they cover.
When your cybersecurity posture is in good shape, the insurance application process is much simpler. Businesses with strong fundamentals - proper access controls, regular backups, staff who know how to spot a phishing email and other threats - tend to qualify more easily and pay less. The questionnaire stops feeling like an obstacle and starts functioning as confirmation that you have already done the right things. If gaps come up during the application, they are better caught before a breach than after.
If you are working through a cybersecurity insurance application, or you have not looked at your current policy in a while, it is worth having your IT support for professional services businesses go through it with you. They can identify where your setup might fall short of insurer requirements, help you address those gaps, and make sure your answers to the questionnaire accurately reflect what you have in place. ITstuffed works with professional services businesses across Canterbury on exactly this kind of review - you can find more detail on the cybersecurity services page.
If you want a quick read on where your IT currently sits, ITstuffed offers a 15-minute IT Fit Check. Book one at itstuffed.co.nz/booking.