Summary
A US state historically placed cyber insurance programs for both “unified” and “non-unified” entities. Unified entities adhered to a single set of cybersecurity controls; non-unified ones did not. Its insurer, after making significant claim payouts, chose to not renew the state’s program once it expired.
Marsh was able to market the program and find coverage for the state’s entities.
Cyber controls seen as weak
During a recent period of accelerating cyberattacks and insured losses, a large cyber insurer paid out claims totaling into the seven figures for a client that is a US state.
The insurer decided that in the coming year it would not renew coverage, which the state historically placed for both unified entities, which adhered to a single set of cybersecurity controls; and non-unified ones, which did not. When Marsh marketed the program to other insurers, none were willing to renew terms as expiring due to the perceived weakness of the non-unified entities cyber controls.
Shoring up controls and marketing the program
Seeing the issues that were looming for the client as well as the condition of the overall cyber insurance market at the time, Marsh began working with the state’s program a full eight months ahead of renewal.
Discussions began with a detailed overview of the difficulties in the market and in cyber risk management generally.
Historically, the CISO for the state had prepared the renewal submission documents for all of the entities. As part of the exercise, Marsh had each entity fill out a Marsh Cyber Self-Assessment questionnaire, a proprietary evaluation tool that has also been accepted by carriers in place of their applications. A version of the CSA will be used in connection with this program.
Marsh then held separate calls with each to discuss the findings and find ways to improve their cyber controls. Marsh then marketed the state’s program to more than 60 cyber insurers.
Conclusion
Marsh’s efforts with the questionnaires and follow-up cyber control discussions helped the state entities improve their cybersecurity posture, explain their situations and controls to insurers, and ultimately obtain coverage following the collapse of the group program.
Marketing efforts led to the unified entities finding coverage in a group program, while the majority of non-unified entities were covered under separate US$1 million limit policies. This is but one way in which Marsh’s cyber specialists help businesses manage the risks of a digitized world.
About Marsh
Marsh is part of Marsh McLennan, the world’s leading insurance broker and risk advisor. Marsh’s Cyber Practice helps corporate and public sector clients navigate an increasingly dynamic environment for cyber risks. We have a deep understanding of cyber risk and insurance issues, having been engaged with cyber insurance since its inception some 25 years ago. We work with clients to analyze their risk exposures and help them implement solutions to address and mitigate the financial impact of a cyber incident.
