What you Need to Know about Cyber Insurance

The fact is that cyber liability insurance premiums climbed double digits in 2020 and are continuing to accelerate upwards. 

Thrive Global invites voices from many spheres to share their perspectives on our Community platform. Community stories are not commissioned by our editorial team, and opinions expressed by Community contributors do not reflect the opinions of Thrive Global or its employees. More information on our Community guidelines is available here.

It seems a lot of things are getting more expensive these days.  Well, if you are shopping for cyber insurance, get ready for another sticker shock, especially if you are about to renew an existing policy purchased more than two years ago.  Here are three discouraging truths about cyber liability insurance right now:

  • Premiums are going up.
  • Payouts are becoming stricter.
  • It’s more difficult to qualify for it.

The fact is that cyber liability insurance premiums climbed double digits in 2020 and are continuing to accelerate upwards.  Global insurance pricing has increased over a twelve-month period by an average of 32% as of June 2021.  Unfortunately, prices haven’t peaked.  According to Standard & Poor’s Corp, cyber insurance premiums are expected to increase 20 % to 30% per year on average in the near future for this $5 billion annual market. 

Mounting Losses Lead to Higher Premiums

Insurance companies are in the risk allocation business.  To remain profitable, the premiums they charge must exceed the amount of their payouts and included expenses.  Historically, insurance companies have raised property insurance premiums in a given area after mounting losses due to heavier storms.  It’s the same thing with cyber insurance.  The past 18 months have seen massive hurricane-like season of devastating cyber attacks.  With the proliferation of ransomware attacks that are up yet another 151% for the first half of this year, cyber insurance companies have been taking it on the chin lately.  Consider all the data breaches and far-reaching supply chain attacks over the past year or so and you start to appreciate the scope and impact. 

Losses are mounting. The average paid loss for a closed standalone cyber claim rose from $145,000 in 2019 to $358,000 in 2020.  The industry statutory direct loss plus defense and cost containment (DCC) ratio for standalone cyber insurance rose sharply in 2020 to 73%compared with an average of 42% for the previous five years (2015-2019).  While it’s easy to put the blame on insurance companies, these higher premiums are necessary and are still not making up for the huge losses they have experienced over the past year or so. 

Why you still Need Cyber Insurance

While paying more for lesser insurance can be disheartening, don’t let it become a reason to procrastinate the purchase process. Cyber insurance is a necessity today as general liability policies rarely cover the expenses involved in a security incident.  An adequate policy usually covers the liability costs incurred by a data breach or other disruptive cyber incident.  In the event of a breach involving personal data of third parties, you can expect to pay for the following:

  • Breach notification to affected parties.
  • IT forensics and other investigative costs.
  • Data restoration and verification.
  • Outside public relations expertise.
  • Credit monitoring and identity restoration.

Plus, there are the associated legal expenses that often come down the road.  These include legal defense costs as well as fines or penalties involving issues of compliance and regulatory measures.  Many businesses are not aware of the wide-reaching impact of that compliance regulations (such as GDPR and CCPA) have on organizations that reside outside of those jurisdictions, which include litigation costs relating to class action suits or settlements. Having insurance can ease the process of recovery and business resiliency, as they are prepared to address complex scenarios.

Because ransomware attacks have become so frequent, cyber insurance companies will often supply a negotiator to deal with the perpetrators and settle upon a ransom amount if that is the decided course of action.  They even consider the cost of network interruption which can negatively impact profits from a breach or attack.  A cyber incident can include a massive system failure as well that could hamper a business from fulfilling their contractual obligations.  Even disruptive events involving human error can be covered.

And the attacks are advancing. Gartner is warning companies that in only a few years, organizations will have a lot more to worry about than just extortions and compromised data.  Gartner states that by 2025, cyber attackers will have weaponized operational technology environments to actually perform commercial and reputational vandalism, or worse – the ability to harma human life.  They predict that the financial impact of these attacks will reach $50 billion by then and that CEOs will be personally liable for such incidents.

Qualifying for Cyber Insurance

Like any type of insurance, an insurance company doesn’t have to insure you.  In the same way that a life insurance company is hesitant to open a new policy for a stunt daredevil that is also a heavy smoker, a cyber insurance company doesn’t want to cover a company that has made minimal effort to protect itself against threats.  Cyber insurance companies are tightening the reigns and denying coverage for organizations that do not meet the minimum-security requirements. Insurers today want their customers to have proven security and backup strategies in place with procedures that enforce the patching and updating of systems and software. 

Cyber Insurance and Remote Work

Like any insurance policy, you must read the fine print.  This is especially important today with so many companies having implemented remote work strategies as of late.  For instance, an insurer may not cover computers that reside off premise in the same way as they do on-premise machines. What about system failures that relate to the home network of an employee, or a highly impacting error performed by a senior employee working from home? Policies are very precise in what they cover. Scrutinize the coverage details in your specific working environment.

Getting Started

Cyber insurance is complicated and expensive today.  It can be hard to obtain and hard to understand.  Not all cyber insurance policies are created equal either.  That’s why you need someone that can sit down with you to fully understand the process, someone that knows how to garner you the exact policy that fits your needs. 

There are many security nuances to consider when getting cyber insurance. To help start your planning, here is an overview of 12-steps for cyber security compliance by The Independent Insurance Agents & Brokers of America, Inc. Agents Council for Technology (ACT).

  1. Risk Assessment – Evaluation of an organization’s risks that could have a negative impact on its business operations and how to mitigate those risks through security controls. An ongoing risk management program provides continuous maintenance and insight on your risk profile and how to enhance your security.
  2. Documented Security Policy – A company’s plan and protocols to continuously protect their data, network, information, and other assets.
  3. Incident Response Plan (IRP) – An organization’s approach and response to a security breach on minimizing impact and recovery time. Explore an ongoing program that gets in front of any potential cyber security threats or attacks. You can be response ready with an Incident Response Readiness as a Service (IRRaaS) program.
  4. Security Training and Monitoring – Regular training and review of employees that manage data or access to an organization – physical or electronic. This can include Security Awareness, Incident Response Team, or First Responder training.
  5. Penetration Testing & Vulnerability Scanning – Ongoing testing if security controls are effective against vulnerabilities. Consider a recurring Penetration Testing program to assess your safeguards throughout the year for a proactive security approach.
  6. Access Control Protocol – Ensuring only authorized parties have access to sensitive information such as ePHI or PII.
  7. Documented Security Policy for Third-Party Service Providers – Policies and procedures on how third-parties manage information of a client’s systems and information.
  8. Encryption of Non-Public Information – Encoding data to only be ready by sender and intended recipient.
  9. Designation of Chief Information Officer (CIO) or Executive
  10. Audit Trail – Step-by-step history of a process to confirm good internal controls.
  11. Multi-Factor Authentication (MFA) – Security system that requires more than one method of authentication to verify a user’s identity.
  12. Procedure for Disposal of Non-Public Information – Process on properly disposing of information and documents.

Consult with experienced subject matter experts at HALOCK who can not only help match you up with the right policy but can help create a security profile and strategy to reduce your risk as well as your insurance premiums. Focus on your business and know that you are protected.

    Share your comments below. Please read our commenting guidelines before posting. If you have a concern about a comment, report it here.

    You might also like...


    Compare Cyber Insurance Policies

    by Francis Dimaano

    “5 things you should ask.” Jason Hartman & Ty Stewart

    by Jason Hartman

    It’s Good to Simplify, but Don’t Take it Too Far with Insurance

    by Maxime Croll
    We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.