Beginning in 2023, Lloyd’s of London will require its members to exclude catastrophic, state-based cyber attacks from its cyber insurance policies. This is controversial and will cause many problems from day one.
Undoubtedly, there will be a lot of litigation over this issue, such as:
- How do you define the action a state-based cyber attack?
- Is attribution even possible?
This change has been in the works for some time, and is nothing surprising – insurance companies are looking to lower claims, especially catastrophic claims. Most likely, the rest of the industry will follow Lloyds’s example.
Cyber Attacks Are More Frequent Than You Think
Cyber attacks are not rare. In fact, they happen every day. And while most of them are not serious, some can be very damaging.
The purpose of any insurance policy is to protect against rare catastrophic risks. Emphasis on rare. Cyberattacks are not rare. They happen every day, disrupting SaaS companies of all sizes around the world in an instant. Therefore today’s version of cyber insurance is similar to US health insurance.
You will most likely use your cyber insurance just like you will most likely use your health insurance.
What Does The Lloyds Change Mean For SaaS Companies?
With exclusions and sub-limits rising, SaaS companies have more skin in the game. Your policy is not comprehensive or at least not as comprehensive as it once was. You must formulate an approach of proactively addressing the issue of cyber risk in order to limit the potential negative consequences.
Cyber insurance will enable you to recoup losses, but it doesn’t help you prior to your cyber attack. Simply put, it’s best to not suffer the loss in the first place. By becoming more active in cyber-risk management, you will decrease your risk.
What Is A Cyber Risk Assessment?
Let’s use a simplistic analogy. Let’s perform a risk assessment on the likelihood of someone breaking into your house. What do we need to think about? Clearly, where your home is and where your home is located in the neighborhood. Also, is there a lot of crime in your neighborhood? Do you lock windows and doors? If it is a window that is unlocked, where is it? Is it accessible from the ground?
After going through this risk assessment, you will better understand the chances of getting robbed. Based on the risk assessment, you may start locking your doors or put in a security system. Or you might just do nothing. But at least you understand the risks and potential outcomes and you know where you stand.
In this example, SaaS companies live in the most dangerous neighborhood in the most dangerous city in the world.
Cyber Risk Management is Simple:
- Perform a risk assessment on a periodic basis
- Analyze the results of the risk assessment
- Develop/implement a Risk Mitigation plan
- Use insurance as a last line of defense
- Rinse and repeat
When developing a risk management plan, it’s advised that you hire an experienced professional to get the most accurate analysis. At Cover Your SaaS, we specialize in risk management plans for SaaS companies.
Unfortunately, SaaS companies should make it a priority to minimize cyber risks, but so many neglect this. The difference between performing or not performing a risk assessment could be hundreds of thousands of dollars.