Cyber insurance costs soar amid ransomware attacks and recurring breaches, policies getting harder to obtain
That cyberattacks have been on the rise is one fact we unfortunately read every year. The cost of these attacks has also been rising steadily, standing at a global average of $4.35 million, according to the Cost of a Data Breach report. This cost is an all-time high in the report’s 17 years running and highlights the result: at the end of the day consumers foot the bill for breach costs.
But there’s another
bill that is being passed on to consumers, and that’s the insurance bill that
companies pay to get coverage in case of a cyber-attack. The Cost of a Data
Breach report found that 83% of respondents have suffered more than one breach,
and these recurring events are causing insurers to re-evaluate their risk
profiles.
With more attacks
taking place, they have been paying out on cyber insurance, and no longer make
the same profits as risk continues to rise. Reports show that cyber insurers
kept just half of the amount of premiums than they just before the pandemic.
That is 27 cents of every dollar in 2021 — compared to 2019 when they earned 52
cents on the dollar. As a result, insurance premiums have been climbing sharply
and policies are harder than ever to obtain – and that process is expected to
become more challenging yet.
Cyber Insurance Market Grows and Gets
Costlier Over Time
Not many companies
nowadays can forego a cyber insurance policy. Cyber-attacks are a business risk
like any other, and they can be very impactful. We can see this business need translate
into major growth of cyber insurance. In the US alone, cyber insurance has
become the fastest growing insurance policy for most insurers, with a growth of 74% in 2021, representing over $4.8 billion. Moreover, the
cyber insurance market is expected reach a market share of $25 billion by 2026,
according to an annual cyber report by The Howden Group.
This market is not
only growing, but it’s also becoming more expensive to get policies. Cyber
insurance pricing continued to rise significantly, up 79% in the US and 68% in the UK, respectively. Unfortunately, over 82% of global insurers expect cyber insurance
premiums to continue to rise, stating the cost of ransomware attacks as a leading factor feeding into the cost of
those premiums.
Pay More for Narrower Coverage
Insurance is a risk
equation. The more cyber-attacks companies experience, the more they claim on
cyber-insurance. The more losses insurers absorb, the higher costs are, but
also, the narrower policies are getting. This is happening in three significant
ways:
1.
Exceptions to the cyber insurance policy
2.
Stringent conditions to be granted a policy or renew one
3.
Cutting off the riskiest cost factors – like ransomware. To that effect,
AXA SA announced that its French subsidiaries will no longer
reimburse ransomware payments for customers within the country. Similar news from Lloyds of London state that its insurer groups globally will
exclude catastrophic state-backed hacks from stand-alone cyber insurance
policies starting 2023.
Prove Your Security Maturity to Get
Insured
Another change that
sets the bar higher is having to prove there are cybersecurity controls in
place, and also prove security maturity for organizations that wish to get or
renew a cyber insurance policy.
For starters, insurers
are routinely asking organizations to provide details about their cyber
policies and procedures to determine their risk profile in insuring them. Those
who fail this test stand to pay very high premiums or be denied the policy
altogether. These concepts are not foreign to anyone who ever got insurance of
any other kind, but cyber insurance is fast becoming a product one must prepare
for in advance , and security chiefs are understanding this process can be
longer than anticipated.
It is not enough to
provide answers to a questionnaire, insurers will send experts in to run a
security risk assessment. Expect to see these professionals assess the attack
surface your organization faces, evaluate the controls you have in place, the
security architectures, and the responses your team provided to the insurer’s
questionnaire. Failing to perform essential security routines, like patching
systems or mitigating risks properly can simply void the policy at the worst
possible moment.
This risk management
process stands to get more developed over the next two years, as some insurers
already demand to see reports from certain security orchestration, automation
and response (SOAR) platforms they deem trusted. Their goal
remains to gain additional insight into how secure their client might be, and
how resilient can they expect them to be in case of a successful cyber-attack.
Ransomware, The War and Hostile Acts
Exclusion, and OFAC Advisory
Like any other policy,
the inclusions vary by insurer and the extras paid for on the policy. Most
cyber insurance policies can cover for data breaches, ransomware attacks,
business email compromise (BEC fraud), and other attacks stemming from phishing
and social engineering. Some policies can cover both the victimized
organization and add coverage for third party impact, but those may require a
certain level of coverage to qualify for added policies.
Since claims keeps
coming in, over time, insurers are becoming more specific about the context of
coverage and often end up in court to have judges make the final call on whether or not they will pay out. With
ransomware being a costlier attack, due to the ransom amount coming on top of
other losses, and since most of these attacks are perpetrated by foreign
attackers, insurers are explicitly excluding “war and hostile acts”. Defining
cybercrime as an act of war has not always worked in court, but it is an
important exclusion to keep in mind when preparing to deal with a ransomware attack.
Other types of cyber
insurance exclusions that are rather common:
-
Indirect compromise, such as incidents that started via third parties
(rising in frequency and requires third-party coverage)
-
Lost or stolen portable devices (a rather common occurrence requiring a
different type of insurance)
-
Failures to maintain agreed-upon security practices, controls and protocols.
Another related
subject has been the OFAC advisory that made paying criminals in sanctioned
countries a federal crime. Is it stopping companies from paying cybercriminals?
IBM X-Force says organizations are still paying as cybercriminals shift tactics
to hide and confuse investigators as to where they might really be operating
from.
That said, OFAC
includes anyone involved in paying out the ransom to be part of their targets.
That includes insurers. Those who plan to consider paying a ransom have to take
this into account – if it is revealed at some point that the attackers operate
out of a sanctioned country, the consequences of the breach can get legally
complicated for all parties involved.
Both the OFAC and CISA
advise against paying ransoms, a piece of advice that insurers are happy to
consider: “Every time a ransom is paid, it confirms the viability and
financial attractiveness of the ransomware criminal business model.” CISA
Alas, as long as
paying criminals for cyber-extortion, companies will pay out and will continue
to buy insurance. It is not farfetched to envision that more insurers will
decide to stop paying out for ransom, but only time will tell.
Navigating the Cyber Insurance Waters
with Risk Quantification
Obtaining a cyber
insurance policy is a business endeavor that is managed through the typical channels
businesses have in place for other types of insurance, but in this case, it
also requires CISOs and their management to work together. Guided by risk appetite
and risk assessments, executives can determine what type of coverage the
organization would require and what sort of policies would best address their
needs. Securing the right coverage can provide adequate protection and minimize
risk in the event of a major cyber-attack.
One method that can
help make this process more structured, and also aid in annual re-assessments
and renewals, is Risk Quantification, translating cybersecurity risk into financial
terms.
Quantifying risk in
monetary value can help empower cyber insurance business decisions that
everybody understands, including the CFO and CEO who have to approve the amount
they will pay for coverage based on the “amount” of risk they are addressing.
A good example ofusing risk quantification within the context of calculating coverage, is using the
Cost of a Data Breach report. The benchmark data in the report helps companies
understand the cost of cyber-attacks and then calculate the amount of coverage
they would likely need in their sector and geography, the types of attacks they
can potentially face, the cost data records they have, etc. This data is added
to existing risk profiles and supports the decision with data from real-world
attacks.
Insurance is Good, Improving Security
is Better
Obtaining cyber
insurance is often known as risk transference – handing the risk to a willing
third party. Companies do this in many instances, but when it comes to
cybersecurity, it is actually better to count on a good security posture than
have to come to the point of using insurance. With insurers placing a strong
emphasis on security and asking for proof of risk mitigation efforts, the
conclusion should always come back to maturing the security program. And that
mature security posture is also what will get companies the best coverage from
insurers at better costs.
One great way to becoming more secure is getting on a Zero Trust journey. It has been a unanimous advice from security experts and organizations, and insurers favor it as well. To learn more about Zero Trust, you can visit the CISA’s website or look at their Zero Trust Maturity Model.