Why organizations of every size and industry should explore their cyber insurance options as a crucial component of modern risk mitigation strategies
Offsetting business risk with insurance is not new. Early mariners transporting their goods around the world hundreds of years ago faced significant risk of damage, theft and threat to life. Lloyd’s, the insurance marketplace still around today, started off as a coffeehouse in London, popular with sailors, shipowners and merchants. Here, they could purchase insurance to cover their ships and cargoes against the dangers of the seas.
For modern businesses the risk may, in most cases, be less physical, but the devasting impact of a cyber-incident, for example, could be enough to force a business to close its doors and cease trading. A cyber-incident could be due to unforeseen issues such as a power or internet outage, resulting in disruption to normal business operations, or, it could be due to a cyberattack.
Mitigating today’s cyber risks requires significant investment in technology and resources, and one element is typically a cyber risk insurance policy. Having cyber insurance safeguards an organization against substantial financial should a significant cyber-incident occur, such as ransomware.
This blog is the first of a series looking into cyber insurance and its relevance in this increasingly-digital era. The proceeding blogs will look more closely into its governance, legalities, future risk and the undeniable business advantage of obtaining cyber cover in the current risk environment.
Cyber insurance and ransomware
The number of cyberattacks is increasing, despite heightened law enforcement activity and legislation. A report from NetDiligence reveals that ransomware accounted for 85% of cyber insurance claims from 2018 to 2022. And data from Coalition, a US insurer, states that in 2023, 40% of companies claiming on their cyber risk insurance policy paid the extortion demand.
Organizations are willing to pay the ransom to mitigate further damage. And often, paying the ransom actually works out more cost-effective for the insurer as recovery costs are typically higher than the ransom cost. However, with cybercriminals achieving their primary goal of receiving financial payout, this makes future attacks both more likely and more frequent.
When the cyber insurance policy covers businesses in the cases where a claim results in extortion payments being made to cybercriminals, there is the argument that insurers covering the ransom cost could potentially fund the next cyberattack. As indicated previously, this increases risk, which in turn forces premiums to rise. As far as I know there is no other type of insurance where the insurer is funding the payment to those that cause the claim, and future claims, paying the arsonist, so to speak.
What determines an organization’s insurability?
The insurance market relies on data and knowledge of the risk being insured. In most insurance markets, there is significant history available for an underwriter to make an informed decision on the probability of an incident that will result in a claim. While cyber risk insurance is not new, insurers have lacked the data needed to fully understand the risk.
This has resulted in significant claims being made and the insurers running at a loss or breaking even for several years. It’s only in the last couple of years that insurers have returned a profit from cyber risk policies. This change has come at a cost to the insured, both in increased premiums and in the requirements of the policies.
The cyber insurance market now requires companies to mitigate risk through pro-actively deploying cybersecurity technologies to minimize risk of attack. In turn, this minimizes the risk of claims against the insurer. The requirements vary from policy-to-policy, and the more robust the cybersecurity posture, the lower the premium and more favorable the coverage options.
What do cyber insurers look for?
The technologies cyber insurers look for include standard cybersecurity practices such as backup and restore procedures as well as regular employee cybersecurity training. When it comes to what makes a prospect more insurable, it’s the adoption of advanced technologies like vulnerability and patch management, network segmentation in alignment with zero trust principles, endpoint detection and response (EDR), and the use of a security information event management solution (SIEM).
For environments where companies don’t have the internal skill sets needed to manage advanced cybersecurity solutions, investing in managed services such as managed detection and response (MDR) is an effective approach to significantly reduce risk. This therefore makes them more appealing to cyber insurance providers.
The need to make insurance accessible for all
The path to being insured can be complex, requiring extensive questionnaires and pre-insurance cybersecurity posture scans. For many smaller businesses this can be a barrier, causing low market acceptance from the very companies that would likely benefit the most from being insured.
An average insurance claim for a cyber-incident in 2022, according to NetDilligence, was around $180,000, an amount high enough to cause serious damage to a business’s finances. The UK government has attempted to make cyber insurance available to even the smallest of businesses through its Cyber Essentials scheme, where a company can adopt a minimum cyber security posture and receive certification with a £25,000 cyber risk insurance policy.
For small and medium size businesses, the issue is not only financial, it’s also one of resource. A lack of skilled cyber-response experts to deal with the aftermath of a cyberattack is something a cyber insurance policy may also provide. The insurer wants the business up and running as fast as possible. Providing teams of experts to help with efficient response and recovery minimizes the financial losses, thus reducing the magnitude of a potential claim. This cover may also include access to legal advice, potentially reducing claims for regulatory fines and minimizing class action lawsuit claims.
Other parties impacted by a cyberattack are the customers of a business, whether consumers or another business. They have an expectation that their transactions and data shared with a company are secure. It’s becoming common place in agreements and contracts between businesses to find a cyber risk insurance clause requiring third party cover should there be a data breach. Adding one more reason for companies to have cyber risk insurance if they don’t already have it.
Cyber risk insurance should be the new norm
The move to a more digital environment seen globally means that cyberattacks are a reality of doing business today. Maintaining a good cybersecurity posture and offsetting the risk with a cyber risk insurance policy is now a cost of doing business in the same way companies insure against fire and theft.
Learn more about the importance of cyber insurance and how organizations can improve their insurability in our latest whitepaper, Prevent, Protect. Insure.