Increased cyber-attacks and more sophisticated threats have impacted all organizations. As risk profiles changed, so did costs. Many businesses relied on cyber insurance to help protect their assets and expenses, but the growing number and complexities of attacks such as ransomware forced insurance companies to adjust their requirements for coverage. The insurance industry increased rates up to 83% for top 25% of companies. Due to high payouts, carriers adjusted their underwriting protocols, requiring more visibility and specific controls to be incorporated into a company’s security program. Lloyds of London held nearly 20% of all the cyber insurance market. The company announced that the current model for cyber insurance is no longer sustainable for their business and as a result, it is discouraged its syndicate from taking new cyber business in 2022.
What Cyber Insurance Covers
Lets outline what a typical policy covers today. Policies typical cover the following costs:
- Forensic analysis to identify the attack source
- Costs to regain access or restore your data from backups or other sources
- Notification of clients and/or regulatory bodies
- Credit monitoring services for affected individuals
- Ransomware demands and specialists to manage ransom negotiations
- Legal costs and public relation services
- Depending on the type of incident, the insurance company may provide experts to assist in dealing with the situation at hand to advise the client and identify ways to lower the cost of restoration.
Rising Costs and Rising Demands
On the surface, it might appear that policy rates are rising along with demand. Fitch Ratings estimates that demand for cyber insurance increased by 28% in 2022. During this period, it is estimated that U.S. businesses paid an average annual premium of $1,485 for a policy stipulating a liability limit of $1 million. This finding is based on the estimates provided by 43 insurance companies for a customer with $1 million in revenue that exemplified moderate risk levels. According to a survey of insurance brokers, more than half said that prices for their clients rose from 10% to 30% by the end of 2020. Only 15% reported no increases.
In 2021 these prices continued to grow. The average premium increased 25.5% during the second quarter of 2021 according to a survey from the Council of Insurance Agents & Brokers (CIAB). This is on top of an increase of 17% in the first quarter of the year. It is estimated that cyber insurance prices are increasing 50% year over year and that companies should expect that trend to continue going forward.
Rising Costs Equate to Mounting Losses
The rising costs of cybersecurity policies only tells half the story. While the demand and prices rose significantly, claims made against businesses with under 250 employees for instance increased 57% during the latter half of 2020. While the most popular claim involves email phishing, the real culprit for the increased costs is ransomware. In 2020, the total amount of ransom paid by victims was nearly $350 million, an increase of 311% over the previous year. The ransom however only represents a portion of the actual cost to the victimized organization. The average cost of remediation rose to $1.85 million in 2021 compared to $700,000 in 2020. Now consider the fact that ransomware accounted for 41% of all cyber insurance claims in the first half of 2020.
Frequent ransomware claims along with their burgeoning payouts is what is driving the insurance companies’ losses. According to an S&P Global report, loss ratios increased for the third consecutive year in 2020. Case in point, in 2016, 43 cents out of every dollar paid in cyber insurance premiums was spent paying on insurance claims or related costs. Prior to 2019, the loss ratio never went as high as 48 cents. In 2020 it ballooned to 73 cents. The truth is that cybersecurity insurance was created when ransomware attacks were conducted on individuals for nominal payouts. These policies were not developed for today’s ransomware environment.
Other Actions to Cut Costs by Insurance Companies
One of Europe’s biggest insurers announced last summer that it will suspend policies in France that reimburse victims for ransomware payments. The company justifies its decision by stating that the very act of paying the ransoms is encouraging more ransomware attacks to occur. As a result, the company experienced a 260% increase in the frequency of ransomware attacks amongst its policyholders with claims ranging from $1,000 to $2 million. In another example of cost cutting actions, AIG announced last year that it was reducing the limits of its cyber policies. These limits represent caps on the amounts that insurance companies will pay on a claim.
What Policyholders Can Do
Insurance companies are now starting to make demands from their policyholders concerning their security practices. Just as drivers with a clean driving record are illegible for auto insurance discounts, insurance companies are also incentivizing good cybersecurity strategies from their clients as well. For instance, policy renewals for some companies are being predicated on the enablement of multifactor authentication (MFA) for remote access. In fact, MFA is one of the most frequent requirements of insurance companies today. Some other requests include:
- Backups of your network
- Incident Response Readiness – written incident response plan (WISP), compromise assessment, training
- Patch Management
- Regular Penetration Testing
- Risk Assessment to establish Duty of Care
- Compliance Requirements Management (PCI DSS, HIPAA, Privacy, Client contracts)
Insurance companies are also conducting background checks to research a company’s cyber incident history. In addition to the frequency of reported incidents, insurers want to find out how a company dealt with a prior attack. In some cases, insurance companies are even working with clients to enhance their existing risk management strategies to reduce their risk factors. These collaborative efforts benefit both parties as it helps reduce premiums for the client while minimize risk exposure for the insurer.
Navigating through the Insurance Process
Finding the right cybersecurity policy can prove a challenging process today. In order get an ample policy for your needs without breaking the bank requires due diligence on your part. This goes beyond getting quotes from multiple insurance providers. It means reviewing your cybersecurity strategies and controls that insurance companies are requiring today.
With the numerous risks organizations manage, how do they identify the most urgent and which ones will have the most impact? IT teams can benefit from a tool that gives a view of company risk that develops a report on how to mitigate risk, how much resources are needed, what is the outcome, and most importantly, in a format that their executive board can easily understand. A thorough report will help justify projects and provide the risk posture documentation needed for cyber insurance coverage. Plus, it will be based on Duty of Care Risk Analysis (DoCRA), a methodology proven to be legally defensible in the event of a breach. Reasonable Risk is the only GRC SaaS tool based on DoCRA.
Implementing regulatory and insurance requirements for your specific security and risk profile is key for getting proper coverage. Learn how you can establish a streamlined risk process.