The increase of cyberthreats has made it challenging for private equity funds to find cyber liability insurance.
High Contrast
The increase of cyberthreats has made it challenging for private equity funds to find cyber liability insurance.
Demonstrating cyber insurance readiness increases a fund’s likelihood of securing adequate liability coverage.
Firms can focus on bolstering their cybersecurity controls as part of a larger risk management strategy.
With cybercrime on the rise, private capital is finding cyber insurance hard to come by. In this Q&A, Anthony Catalano, RSM US LLP, opines on the risks cyberattacks pose to private equity and venture capital funds and how cyber liability insurance has responded.
The increasingly digital environment has led to an elevated level of cyberthreat activity, resulting in middle market PEVC funds scrambling to transfer risk through cyber liability insurance (CLI). Unfortunately, finding any level of coverage is increasingly challenging. Already this year we have seen several funds denied cyber insurance, which was unheard of in years past.
This belt-tightening by cyber insurance carriers is directly tied to the losses they have incurred from ransomware breaches. We are seeing attacks in every industry and the financial demands are getting much higher. Cyber insurance companies are simply refusing to take on excess risk, causing a major shift in the marketplace.
Midsized businesses face increased risk because many do not have adequate controls in place. If middle market PEVC funds want to protect themselves and their portfolio companies from cybersecurity threats, they will have to adjust their approach to address liability risk.
While it was once commonplace for cyber insurance companies to accept risk transference from organizations, they are now limiting business for their own protection. The RSM US Middle Market Business Index 2021 Cybersecurity Special Report discusses important changes in the cyber insurance marketplace, including reduced capacity, rate increases, and underwriting scrutiny.
More emphasis will be put on a company’s policies, procedures, and control capability related to cyber exposure. PEVC firms that do not have a minimum viable cybersecurity program in place are having to pay exorbitant premiums to get liability coverage at all.
Demonstrating cyber insurance readiness increases a PEVC fund’s likelihood of securing adequate liability coverage. A minimum viable security program should include penetration testing, policy and procedure, governance, program management, and posture matching. Without these foundational elements, obtaining an insurance policy will become more difficult or cost-prohibitive.
PE firms need to understand that CLI is not a standalone solution for cyberthreat protection but rather part of a larger risk management strategy. Rather than worrying about how much cyber insurance is needed, PEVC funds should focus on bolstering their cybersecurity controls and then transferring residual risk, in that order. In other words, avoid putting the cart before the horse or face increased challenges in transferring that risk properly.
A minimum viable security program should include vulnerability scanning, security awareness training, policy and procedure, governance, incident response, and business continuity capability, as well as multifactor authentication and endpoint detection and response. Without these foundational elements, obtaining an insurance policy will become more difficult or cost-prohibitive.
Originally published on RSMUS.com by Preqin.