The global cyber insurance market is expected to top $25 billion by 2026—in 2020, it was valued at just $8 million. In its early years, cyber insurance served only as an add-on to existing liability policies and generally covered less than it excluded. Items such as independent business interruptions, property damage, rogue employees, regulatory claims, and first-party damages, were not on most policy coverage lists. Of course, during cyber insurance’s infancy, breaches were nearly as nascent as the insurance.
As cyber criminals advanced their attack techniques and ramped up their frequency, businesses and policy writers realized the need for expanded cyber coverage. However, insurance providers adapted at a relatively slow trickle through the 2000s. It wasn’t until the 2010s, amidst the fallout from several high-profile breaches, that cyber coverage really began to mature to align with breach activity and its associated costs.
Cybersecurity insurance quickly became a must-have staple in many cybersecurity mitigation programs and, for a short time, was attained with relative ease: complete a basic security questionnaire, determine coverage requirements, and choose a policy—all for what could be, generally, a reasonable cost.
Things have changed.
$4.35 million = The average cost of U.S. data breach.
Source: 2022 Cost of a Data Breach report, IBM
Insurers have spiked their policy price tags—in the second quarter of 2022, cyber insurance premiums rose 79 percent. Underwriters have also tightened their coverage requirements—so much so that many organizations find it challenging to secure a policy without running a lengthy gauntlet of stringent security requirements. Brian Gardner, Dallas Chief Information Security Officer, said, “Now some carriers want detailed answers about how an agency’s security controls are configured.” But details aren’t all they want. Many want documentation, proof that those controls are established and currently operating.
Why the cost spikes and policy restrictions? We’re continually putting more digital devices into operation and digitizing more data, offering more surface area for attacks and more information to plunder. Also, many organizations are still coming up short on adequate security controls and programs. Subsequently, the number of policy claims has ballooned as cyber incidents surge in frequency. Bad actors are also attacking with higher levels of sophistication, and many see an organization’s cyber insurance as an inroad to secure a ransom—for one insurer, the average ransom demand to their policyholders in 2021 was $1.2 million.
Here are a few statistics to help put cyber incidents and their costs in perspective:
With the escalation in cyber incidents and related costs, the cyber insurance industry has had to adapt once again—this time to mitigate its own losses. Many are paying out more in claims than their premiums are bringing. In 2020, the average loss ratio for insurers was 66.9 percent. In 2017, it was 32.4 percent.
Let’s look deeper than the premium hikes and see how insurers are adapting their coverage. Many have become so strict, organizations are finding it difficult to secure a policy.
Many insurers are now mandating a list of basic cyber hygiene best practices, such as endpoint and detection response (EDR) protocols. One study found that 34 percent of respondents were denied policies because they did not meet EDR requirements. Other control obligations have been multi-factor authentication for multiple access areas, password restrictions, data backups, and adhering to security frameworks such as the National Institute of Standards and Technology (NIST).
Organizations will be asked to undergo an audit to verify their cyber health before a policy is granted. A company’s determined risk level will then decide its premium—if its risk is low enough for a policy. The more steps a business takes to reduce risks, the lower the premium.
Lloyd’s of London recently announced that their global insurers cannot cover nation-state attacks. Additionally, an act of war is no longer covered in the U.S. Those underwriters who continue to cover nation-state attacks will most certainly tighten their parameters and bump up premiums further.
Currently, cyber policies’ coverages, and terms and conditions vary wildly. A standard policy model will alleviate ambiguity and help organizations better attain and maintain adequate security controls and risk levels.
Certain categories of organizations may be forced to purchase cyber insurance through regulation. Also, regulatory entities are beginning to require higher standards of data collection and regular reporting on cyber risk exposure. Forbes stated, “There will be requirements for specific data collection in order to have an easily accessible, across-the-board reporting system. Data points will need to use a minimal amount of data elements while still being useful for analysis of cyber exposure. The data requirements will evolve in line with the regulatory understanding of cyber exposure analysis, and as the risk itself evolves.”
Though many organizations are having difficulty securing cyber insurance because of the higher premiums and stricter parameters, those two road bumps may serve as a valuable reality check. Perhaps businesses will realize the dangers of the cyber landscape and the importance of establishing robust cybersecurity controls and practices, even if they can’t afford the insurance.
Cyber insurance should never be used in lieu of hearty prevention measures or recovery plans, but it can help offset financial losses. Though some organizations may feel that the higher premiums have forced an ultimatum upon them: Build up their security control or purchase insurance. This may be a very hard reality for those with a slim budget—not a decision to be made lightly.
If you’d like to learn more about strengthening your cyber resilience, visit CompliancePro Solutions.