Blog

Examining the Decrease in Cyber Insurance Rates

The cyber insurance market has proven tricky for many companies to navigate. The ongoing rise in cyberattacks, coupled with a lack of extensive historical data, makes it difficult to obtain this important insurance at affordable rates.  

However, an interesting trend emerged in 2024: cyber insurance premiums decreased. So, what’s going on here? This blog looks at the recent decrease in cyber insurance rates and offers pointers to help your business pay a lower premium.  

A Counterintuitive Finding? 

When looking solely at the threat landscape, it seems counterintuitive that cyber insurance rates are falling. After all, the cost of a data breach increased by 15% between 2020 and 2023. Companies deal with an ever-rising onslaught of attacks—Nuspire’s Q1 2024 Threat Report showed a 3.69% rise in ransomware activities, a 58.16% increase in dark web marketplace listings, and a 52.61% increase in total exploit activity from Q4 2023.  

Other factors like ongoing geopolitical instability and improvements in generative AI also point to a potential for increases rather than drops in rates. Generative AI lowers the barrier of entry for malicious actors, sharpening their skill sets and making them more efficient. Geopolitical instability tends to come with higher risks of state-sponsored hacks that drive premiums up.  

There’s also the systemic risk of so-called tail events to think about. These extreme incidents have a low probability of occurrence but can lead to significantly high losses if they do happen. In the last year or two, incidents like the MOVEit file transfer zero day and Change Healthcare attacks seem to point to rising systemic risks.  

So, Why Are Cyber Insurance Rates Declining? 

Examining just the threat landscape doesn’t account for the defensive side of the coin. A recent report into the cyber insurance market showed a 15% drop in rates during 2023 and 2024 compared to the peak in 2022.  

Partly as a response to relentless ransomware attacks between 2019 and 2022, many companies invested in the hardened controls and defenses needed to thwart the worst impacts of these attacks. Of particular benefit is the wider adoption of comprehensive backup strategies that mitigate some of the costliest consequences of business interruption (and thereby lower premiums). Companies are now heeding advice not to pay costly ransoms.    

Thankfully, gen AI also strengthens cyber defenses. From developers being able to effortlessly scan their code for security flaws to AI-powered threat hunting, there are arguably as many opportunities to bolster resilience as there are downsides to this double-edged sword.  

How Can Your Business Get Lower Cyber Insurance Rates? 

Aside from the high-level market dynamics at play, individual companies can do several things to demonstrate a commitment to solid cyber resilience and lower their rates.  

Comply with cybersecurity frameworks and standards 

Cyber insurers hold frameworks and standards in high regard because complying with them shows a serious effort to reduce cyber risks. Some of the standards and frameworks that might incentivize insurers to give lower quotes include:

  • ISO/IEC 27001: This is an international standard for managing information security. It provides a framework for best practices for managing information security, helping you securely protect client and employee information. 
  • NIST Cybersecurity Framework (CSF): Developed by the National Institute of Standards and Technology, this framework helps businesses assess and improve their ability to prevent, detect and respond to cyberattacks. 
  • CIS Critical Security Controls: A set of 18 best practices for securing IT systems and data against the most pervasive attacks.  

These are just some popular examples. But if you can show compliance with any respected standard or framework, there’s a good chance you’ll get a lower rate.  

Use strong access controls

Cyber insurers recognize effective identity security and access controls as strong steps in reducing your company’s cyber risk profile. Use role-based access control (RBAC) to limit access to sensitive information based on an individual’s role within the organization. Abide by the principle of least privilege access so that each person only gets the access strictly needed for their jobs. And get a multi-factor authentication solution in place. All of these actions limit the potential for account hacks and lateral movement while also showing that you are serious about taking proper care of sensitive data.  

Show cyber awareness improvements

Investing in comprehensive cybersecurity training for your employees is one of the best ways to reduce cyber risks. But without any specific data from these programs, it’s hard to translate that risk reduction into tangible figures showing better cyber awareness among staff. Whether your chosen training platform includes it or not, make sure to collect useful metrics that track improvements in cyber awareness over time. This could include things like click/open rates for simulated phishing attempts or more direct metrics gathered from training modules. 

Back up and test your backups

Reliable backup and recovery solutions are essential for minimizing downtime and data loss in the event of a cyberattack. Insurers also like to see this in place because it decreases the likelihood of paying out on large claims associated with business interruption or lost data.  

Aside from backing up systems/data and having failovers in place, it’s just as important to regularly test that your recovery process works effectively when needed. Storing backups in a secure, off-site location protects them from physical threats like fire or theft. Overall, the aim here is to show insurers that your business can quickly return to normal operations and recover important assets in the aftermath of cyberattacks. 

Get external cybersecurity expertise

External security expertise can offer round-the-clock monitoring and sophisticated threat response that’s more effective than your in-house capabilities. It’s in the realm of detection and response that insurers look upon particularly favorably when it comes to offering lower premiums.  

Having an external company safeguard your access points with an endpoint detection and response (EDR) service or thwarting attacks across your environment with managed detection and response (MDR) are vital steps toward a more proactive security stance. Many insurers recognize the reduced risk associated with professionally managed security operations and will lower your cyber insurance rates accordingly.   

Nuspire offers both MDR and EDR as part of a comprehensive suite of managed security services. You get 24x7x365 monitoring and remediation runbooks tailored to your unique business needs.
 

Checklist

Let’s talk about how we can help you lower your cyber insurance premiums.

Have you registered for our next event?