NADA Recap: Combat Cyber Insurance Prices

It was a pleasure and an honor to speak at NADA 2024. Thank you to all who attended our workshop, “Tame the Tiger – Combat Soaring Cyber Insurance Prices”. In case you missed it, here are the key points we covered. The full recording of the session is available to NADA members.

Cyber insurance prices have been growing at an alarming rate. You may have experienced premium increases of 250 percent or more compared to a few years ago. It can be difficult to understand the high price point, grasp the criteria used to evaluate risk, and know how to position your dealership for significant savings. We guided attendees through what is driving the crazy premium increases, how to become a “good risk”, and setting up a business for the lowest possible premiums.

Why the increase?

The reality for cyber insurance companies is they’ve lost money the past few years by offering policies too broadly. As ransomware and business email compromise (BEC) have become rampant, claims have been more frequent and larger than anticipated. Now, insurance companies are only looking for “good risks”.

A “good risk” is a business that follows good IT protocols, security best practices, and cultural cyber hygiene. The good news is these best practices also overlap with the FTC Safeguards Rule, thus giving you a two-for-one victory!

How do you become a “good risk”?

Here are the steps needed to not only become a “good risk”, but harden your defenses against cyberattacks:

• Use multi-factor authentication (MFA) for admin accounts, cloud access, and remote access.
• Outsource endpoint protection, like PCs and servers to a 24/7 Security Operations Center. A good Security Operations team can respond to security alerts within minutes and shutdown attacks in their infancy.
• Ensure you have reliable backups that are “air-gapped.” This means they are taken offline, either physically or logically so malicious actors can’t tamper with them. And make sure you test your backups regularly.
• Invest in a strong email filter. Ninety-five percent of all attacks begin via phishing emails. Between a strong filter and a well-educated organization, most attacks can be thwarted even before they begin!
• Ensure you’re using current-generation, supported operating systems and appliances, like firewalls. These systems need to receive regular security updates and vendors don’t always provide security updates for older, unsupported systems.
• Manage your third-party risks. These are vendors or partners that have access to your data or your network. Suppliers or partners are a common route to getting hacked!
• Ensure you’re providing high quality security awareness training to your organization and that you’re reviewing results. Follow up on associates who don’t complete training or have a tendency to fail their phishing tests.
• Have a solid, rehearsed Incident Response Plan! Conduct a tabletop rehearsal at least once per year.

These steps can be hard to manage for many dealerships. They require a considerable amount of understanding of technology and ongoing management.

How do I use this to actually save money?

Once you have these steps in place, you’re ready to make your case for the lowest possible premium. Share your information security program with your broker. An alternative way that’s growing in popularity is to obtain insurance through your IT or security service provider, who may have partnerships with insurance companies.

You can demonstrate the quality of your program and your diligence by sharing key metrics:

• Your phishing test results (including “phish prone” percentage), ideally under five percent.
• Systems protected by MDR.
• Percentage of MFA enrollment.
• Percentage of vendor-supported devices (unsupported systems should be zero ideally).
• Results from the last backup test.
• Penetration test results.

With a solid program and a demonstration of your diligence, you can help your dealership qualify for the best cyber insurance rates possible!