The insurance industry is evolving to help your business mitigate risk—specifically, cyber insurance is evolving fast. Cyber insurance offers a safety net for businesses threatened by the rapid growth of insider cybercrime and external cyber threats, particularly ransomware. While cyber insurance has been a reliable safety net for years—driven by accelerating insider cybercrime and exploding ransomware attacks—things are changing fast.
Before you seek cyber liability coverage or negotiate your next insurance policy renewal, it’s important to understand the dynamics of the rapidly changing market and consider how well your security controls will stand up to an insurance company’s review. (Our sample Cyber Insurance Readiness Checklist guides you through the top questions most insurance companies ask.)
This blog will answer some common questions about cyber insurance and make sure you get all the facts you need.
The cyber insurance market is expected to reach $20.6 billion by 2025, according to the latest estimates. That’s up from $7 billion in 2020. The booming market is a reaction to the explosion of cyberattacks in the last few years. In 2021, there was a 50% increase in cyberattacks over 2020, much more than businesses or insurers expected or budgeted for. The cost of cybercrime is also continuing to increase, reaching $10.5 trillion annually by 2025.
Ransomware currently accounts for 75% of all cyber insurance claims, up from 55% in 2016. “There has been no reprieve in ransomware activity, suggesting that it will continue to be a prominent threat in 2022 as threat actors continue to exploit new vulnerabilities and attack vectors,” Insurance Business warns. Part of the reason for the continued ransomware increase is the willingness of businesses to pay the ransom demands.
How do these factors impact your cyber insurance strategy?
As you can imagine, insurance companies don’t want to be left holding the bag as cybercrime and ransomware increase. Thus, they’re raising insurance premiums. After misjudging risk in 2019 and 2020, some insurers have exited the cybersecurity insurance market, which allows those companies that remain to capture increased demand while keeping premiums high.
Cyber insurance companies are tightening security requirements
In addition, to reduce their risk, insurance companies are tightening cybersecurity requirements before they grant insurance coverage to their customers. Specifically, insurers are taking a close look at how well businesses follow security best practices, such as access control, multi-factor authentication, and the principle of least privilege.
Cyber insurance is a policy with an insurance carrier to mitigate a business’s financial risk exposure by offsetting costs related to damages and recovery after a data breach, ransomware attack, or another cybersecurity incident. It can shield you from the costs of investigations, forensics, compliance fines, lawsuits, and even extortion payments.
Until recently, cyber insurance was just extra liability insurance that you could add to your standard business insurance. But, traditional insurance policies only covered business interruption or breach of physical assets due to cyberattacks. Today, cyberattacks can cause a much wider swath of destruction for businesses. In insurance industry parlance, “the loss environment has increased.”
Don't just bolt on a bit of cyber insurance
As Michael Phillips, Head of Claims at Resilience Insurance, explains in Delinea's 401 Access Denied podcast, “it’s no longer sufficient to just bolt on a bit of cyber (insurance) onto your property policy.” Rather, you need coverage from insurers that understand cybersecurity and are willing to pay for those extra losses.
Let’s take a look at the types of players in the cyber insurance industry.
Like other areas of business insurance, the cyber insurance ecosystem consists of brokers, insurers, and re-insurers. Most businesses seeking cyber insurance start by working with a broker who can obtain quotes from a variety of insurers. Those insurers range from the large, name-brand insurance companies with cyber divisions, to smaller companies that only provide cyber insurance. Some specialize in cyber insurance for specific industry sectors, such as healthcare, law firms, nonprofits, or retail.
Regardless of size or specialty, all cyber insurers have one thing in common: they’re learning as they go, trying to find their foothold in a fluid, ever-evolving market.
As you shop for cyber insurance, you won’t typically deal directly with re-insurance companies, but they play an important role behind the scenes. Re-insurance is best described as “the insurance of insurance companies.” Cyber Magazine explains: “Reinsurers have taken on an important role in the cyber insurance ecosystem over the past two years. They provide cybersecurity, share underwriting knowledge, give actuarial support, and help manage accumulation risk, in addition to enabling the pure risk transfer.”
There are two major types of cyber insurance coverage: third-party liability coverage and first-party coverage. You may choose to purchase either or both types of coverage.
Cyber liability coverage may spell out the types of incidents and damages they will pay for, such as “ransomware insurance” or “data loss insurance.”
Keep in mind, the products offered by the cyber risk sector of the insurance industry are evolving. Some cyber insurance providers are making big changes in the scope and scale of what they will and will not cover for businesses.
Some insurers are pulling back and insuring less or putting more limitations on their policies. French insurance company AXA, for instance, announced in August 2021 that it will stop paying ransom demands for future policyholders.
Make sure you know exactly what your cyber insurance will and will not pay for.
High demand combined with big losses is driving up insurance costs. For example, AIG announced that its cyber insurance premiums rose 40% in the past year. As AIG’s CEO, Peter Zaffino, explains: “We continue to carefully reduce cyber limits and are obtaining tighter terms and conditions to address increasing cyber loss trends, the rising threat associated with ransomware, and the systemic nature of cyber risk generally.”
The good news is there are ways you can keep your cyber insurance costs down, even while premiums are on the rise.
Unlike other insurance sectors, cyber insurance lacks years of actuarial data required to balance pricing with the risk taken by the insurers. Cyber insurance has about 15 to 20 years of data to rely on, whereas other areas of insurance have hundreds of years of actuarial data at their disposal.
Cyber risk requires specialized models. Insurers must combine data science, cybersecurity expertise, and insurance underwriting skills to evaluate risk. Many have formed a dedicated “cyber engineering” group that understands how to conduct security risk assessments. Insurance underwriters and security experts are joining forces to act as a team. Not often do subject matter experts from such diverse fields collaborate to come up with a market price.
We all have an incentive to get this right
Michael Phillips, Head of Claims at Resilience, shares a behind-the-scenes look at how a cyber engineering team works in the 401 Access Denied podcast. Until recently, he notes, “cybersecurity professionals and cyber insurance professionals might have said, ‘these guys are getting in my way or they're intervening in my plan and program.’ Now, we're all incentivized to really address what is a much more comprehensive problem than it was 5, 10 years ago . . . now it's operational. It's privacy. It's data protection. And it's the health of the enterprise. We all have an incentive to get this right.”
Expect in-depth questions that scrutinize your security controls and risk management practices. Cyber insurers look for common security risk controls. For example, cyber insurers may want to know how you’re doing regular testing for phishing and how you’re handling web content filtering and multi-factor authentication.
Cyber insurers evaluate cyber risk using a variety of models and metrics. Some, such as AIG, make their evaluation metrics available to the public. Others, such as Zurich, rely on a framework from the National Institute of Standards and Technology (NIST) for their cyber risk assessment report. While the metrics and frameworks may vary among the insurance providers, they’re all looking for similar fundamentals: solid, proactive cybersecurity risk controls.
Among other cyber insurance requirements, cyber insurers look for common security controls, including:
Certain industries may have their own unique risk controls or may place higher importance on particular security measures.
The good news is, you can take straightforward steps to implement these risk controls, which in turn, could make your business more “insurable” and lower your cyber insurance costs. To help you meet cyber insurance requirements, I've summarized the best practices in our cyber insurance checklist:
When you apply for cyber insurance, you’ll want to be able to answer questions confidently. How do you know you’re ready? Download our sample Cyber Insurance Readiness Checklist—it guides you through the top questions most insurance companies ask when you apply for cyber insurance.
If and when you’re issued a cyber insurance policy, congrats! It’s not an easy feat to obtain a policy during these tumultuous times for the cyber insurance market.
But don’t rest on your cyber laurels. Cyber insurance continues to evolve so don’t be surprised if your insurer makes changes to the coverage or premium when it’s time to renew. Providers may also expect you to provide updates and new data during the entire term. You’ll need to continue to show the same accountability and responsible practices that earned you the policy.
No matter if you’re looking at cyber insurance in the short term or down the road, you can take important steps right now to tighten up the cyber practices across your business. As you build your cyber insurance checklist, start by making privileged access the core of your cybersecurity strategy.