With the cyber threat landscape showing no sign of becoming less risky, many businesses want to transfer some of their risk to cyber insurance providers. In fact, by 2020, 78% of corporate risk managers bought some type of cyber insurance coverage for their company. But what is cyber insurance, what type of coverage can you get and what do you need to apply for a policy? This article aims to provide the lowdown on all the important details.
Cyber insurance is a type of insurance that helps businesses protect against the risk of losses from cyber threats, such as data breaches or ransomware attacks. The recent explosive growth experienced in this sector reflects a combination of several factors, including:
Most businesses today depend heavily on functioning IT systems for business continuity. In the event data gets corrupted or systems get taken down due to a cyberattack, not being covered by cyber insurance can easily pose an existential threat to businesses. Aside from business continuity risks, breaches of customer or other sensitive company data from cyberattacks can prove extremely costly. Cyber insurance can also help with the cost of recovering from a data breach.
The cyber insurance market is nowhere near any sort of maturity level yet. With growth levels forecast to surge from $7.6 billion in 2021 to $36.85 billion in 2028, the industry is yet to see evolutions in coverage or even a standardization in what’s offered. Broadly speaking, you can break down the typical coverage provided into three areas:
Many providers tailor the types of coverage they offer to different organizations. In the current threat environment, a pressing question on the minds of many IT decision-makers and risk managers is whether insurers will cover their business against ransomware payments.
In May 2021, AXA in France decided to stop writing cyber insurance policies that reimburse customers for extortion payments made to ransomware criminals. This move came after criticism of the insurance industry that covering ransom payments encourages companies to pay threat actors, despite regulators and governments advising against paying any ransom. It remains straightforward enough to find an insurance provider willing to cover ransom payments, but if the average payments keep rising and attacks continue to increase, expect to see more insurers make the same move as AXA.
An area in which it’s uncommon to get coverage is the reputational damage inflicted by a cyberattack. Not only is it difficult to put any sort of monetary value on that type of damage, but also, insurers see it as unwise to pay out for ambiguous costs. Public perception of a business might skew negatively for months or years after a cyberattack, which makes it very hard to quantify how many customers left or avoided the company due to a perception of poor cybersecurity.
Cyber insurance providers were arguably caught off guard in recent years when providing insurance coverage. Systemic risks arose from single cyber incidents spreading to multiple businesses. Cyberattacks rose in complexity and volume beyond a level even predicted by industry experts.
In an attempt to recoup losses and exercise more prudence, insurers have stepped up their requirements for businesses to demonstrate an adequate level of responsible cyber security practices before providing insurance coverage. No insurance company wants to provide coverage to a business that’s careless with its cybersecurity and looks likely to become a victim of a serious data breach.
At a minimum, expect to get asked about the processes and tools in place to protect your IT environment and data. Many insurers want to see the results of a security audit or penetration test carried out against your security defenses. Getting approved for a policy isn’t the end of having to demonstrate a strong cybersecurity posture. Insurers typically reassess policies annually, and they want to see that you’re maintaining a strong cybersecurity posture.
Cyber insurance doesn’t remove risk—it just transfers some of the risk to an insurance provider in return for a premium. Given the requirements to maintain a healthy security profile, it’s a mistake to view cyber insurance as a replacement for your information security program.
With higher levels of demand across the board and higher levels of risk, cyber insurance premiums are likely to continue increasing over the coming years. Hefty payouts from ransomware attacks are making insurers warier about their risk appetites. Some ransomware threat actors increase the ransoms they demand if they find evidence of a victim’s level of cyber insurance coverage while inside their network.
In November 2021, Lloyds of London reportedly began discouraging its syndicate members from providing cyber insurance coverage to businesses. While most insurers probably won’t actively stop providing cyber insurance coverage, the limits and coverage levels in policies are likely to change, and businesses will bear more of the risk.
As coverage levels and limits reduce, underinsurance is the likely outcome. Businesses will face a trade-off between accepting more risk versus paying extremely high premiums for the coverage they want.
Investments in added-value security solutions will help to close some of the under-insurance gaps emerging over the coming years. Search for ways to strengthen your security posture rather than focusing on just transferring risk to insurance providers. A stronger security posture also reduces cyber insurance premiums. Solutions like managed detection and response, cyber security consulting and vulnerability management all reduce the likelihood of becoming the next victim of a costly cyber breach.
Looking at ways to strengthen your cybersecurity posture? Contact Nuspire today to get a customized assessment and determine the best ways to address your security gaps.