With Cybercrime on the Rise, Private Capital Is Finding Insurance Harder to Come by

We spoke with RSM’s Anthony Catalano about the risks cyberattacks pose to PEVC funds and how cyber liability insurance has responded

The threat of cyberattacks, particularly ransomware, to global business rose sharply during the pandemic as work from home policies stretched the networks of many companies. With attacks becoming more frequent and sophisticated, how are PEVC funds protecting themselves and their portfolio companies?
The increasingly digital environment has led to an elevated level of cyber threat activity, resulting in middle-market PEVC funds scrambling to transfer risk through cyber liability insurance (CLI). Unfortunately, finding any level of coverage is increasingly challenging. Already this year we have seen several funds denied cyber insurance, which was unheard of in years past.  

This belt-tightening by cyber insurance carriers is directly tied to the losses they have incurred from ransomware breaches. We are seeing attacks in every industry and the financial demands are getting much higher. Cyber insurance companies are simply refusing to take on excess risk, causing a major shift in the marketplace.  

Mid-sized businesses face increased risk because many do not have adequate controls in place. If middle-market PEVC funds want to protect themselves and their portfolio companies from cybersecurity threats, they will have to adjust their approach to address liability risk.  

How has the insurance industry responded to both the heightened demand and liability?
While it was once commonplace for cyber insurance companies to accept risk transference from organizations, they are now limiting business for their own protection. The RSM Middle Market Business Index 2021 Cybersecurity Special Report discusses important changes in the cyber insurance marketplace, including reduced capacity, rate increases, and underwriting scrutiny.

More emphasis will be put on a company’s policies, procedures, and control capability related to cyber exposure. PEVC firms that do not have a minimum viable cybersecurity program in place are having to pay exorbitant premiums to get liability coverage at all.

What is a common misconception that PE firms have regarding cyber insurance and how should they approach it?
Demonstrating cyber insurance readiness increases a PEVC fund’s likelihood of securing adequate liability coverage. A minimum viable security program should include penetration testing, policy and procedure, governance, program management, and posture matching. Without these foundational elements, obtaining an insurance policy will become more difficult or cost prohibitive.

PE firms need to understand that CLI is not a standalone solution for cyber threat protection but rather part of a larger risk management strategy. Rather than worrying about how much cyber insurance is needed, PEVC funds should focus on bolstering their cybersecurity controls and then transferring residual risk, in that order. In other words, avoid putting the cart before the horse or face increased challenges in transferring that risk properly.  

A minimum viable security program should include vulnerability scanning, security awareness training, policy and procedure, governance, incident response and business continuity capability, as well as multifactor authentication and Endpoint detection and response (EDR). Without these foundational elements, obtaining an insurance policy will become more difficult or cost prohibitive.

About Anthony Catalano
Anthony Catalano leads the cyber security practice for private equity at RSM. He has over 16 years of experience advising multibillion-dollar health care and technology organizations on matters relating to information security. Having served as virtual CISO for a variety of organizations, he has experience building entire security programs and developing security management strategies that align with an organization’s business goals. Anthony specializes in helping health care clients solve regulatory challenges and mitigate operational and financial risk.