The rising cost of cyber insurance
As recently as 2019, cyber insurance wasn’t on the radar for many small to mid-sized businesses, despite being the fastest growing sector of the insurance industry.
Taking in more than four-billion dollars worldwide in that year alone, by 2025 cyber insurance is expected to be a fifteen-billion-dollar industry.
With growing cyber risks and an evolving threat landscape driving higher demand for cyber insurance year on year, recent industry data shows that cyber premiums are quickly outpacing other insurance products. Companies are now becoming more aware of the necessity of cyber insurance and are getting better at evaluating their coverage needs. The challenge for most businesses is how to choose cyber insurance products that cover their essential needs without over-extending their cyber budget. To do that, it helps to understand the shift in the marketplace when it comes to cyber insurance.
What’s behind the rising cost of cyber insurance?
According to The State of Email Security report, during 2020, the Mimecast Threat Center detected a 64% rise in threat volume compared to 2019. Hacker groups are quickly becoming more organised, and better at exploiting vulnerabilities exposed by the pandemic. Threat actors are carrying out more sophisticated attacks across longer timeframes to inflict greater financial damage on targets.
Insurers who specialise in cyber coverage have taken larger than normal losses during this recent period, blindsided by the surge in cyber incidents across almost every industry. In response, insurance providers have adjusted how risk is weighed through 2021, driving a parabolic increase in premiums as frequency and severity of damages paid out grows. Some larger insurers in the space have already raised cyber insurance rates by more than 50% this year.
Even the world’s largest companies have had difficulty securing higher cyber insurance coverage limits, with risk-adverse insurers in some cases only willing to insure data up to a fraction of its actual value. While a major factor has been the increasing number of large sums paid out following major data breaches, another key driver is the additional resources insurers are pouring into assessing cyber risk.
Insurers have begun to require more granular information when initially assessing insurance needs, and are also rating potential risks more severely, considering recent real-world outcomes. This includes spinning up the capacity to perform their own vulnerability assessments such as port mapping and penetration testing exercises. As a result, insurers may demand additional redundancy measures from their clients, such as disaster recovery planning or red team exercises, to remain compliant.
The standard sets of questions that insurers ask prospective clients evolve week to week as new threats arise, which makes it a time and cost intensive process for any business trying to pull together the required information.
While a higher cyber insurance premium generally means a higher level of coverage, as recent trends in availability of coverage have shown, an agreed amount won’t always be sufficient cover for actual losses. The difficulty for both parties lie in estimating potential damages from an unforeseen attack or data breach of unknown length and severity, muddying the waters around how much coverage is sufficient.
The size and location of a business, what it does, and how it operates are all variables considered when assessing risk of cyberattack, but the single biggest deciding factor for cost of premiums is the value of data being secured.
How organisations can minimise their cyber risk and insurance costs
One of the best ways to reduce cyber insurance premiums is to make sure your organisation is already well-prepared for cyber risks. Basic cyber hygiene and awareness training are a fundamental need for every organisation, no matter how big or small.
While cyber insurance offers many benefits, it needs to be part of a wider comprehensive plan for cyber resilience. Businesses should already have a well-planned cybersecurity strategy in place to pre-empt threats wherever possible and ensure business continuity during any successful attack.
Insurers are constantly trying to predict new ways that claims could occur, and how to mitigate the risk in each scenario. They are looking for businesses that have the right controls in place to reduce risks for both the business and the insurer, which translates into lower insurance premiums.
Insurance providers also have a lot of insight into the threat landscape and the liabilities that can come with a cyber incident. Sitting down with your insurer and reviewing your own cyber practices is a great starting point to not only boost your security but also keep your cyber insurance costs to a minimum.
When choosing an insurance product, organisations should evaluate their cyber insurance options carefully to select a level of coverage that ensures financial protection against data breaches or loss. Both insurer and insured must communicate effectively about the value and nature of data being insured and work together to establish the highest possible level of preventative cybersecurity as the first layer of defense.