Companies Face Challenges in Cyber Insurance Policies
Increase in Premiums and Decrease in Coverage
Companies are facing a difficult situation when it comes to their cyber insurance policies. As significant breaches and growing payouts have continued to make headlines, insurers have responded by raising premiums and granting less coverage. According to the “2023 State of Cyber Insurance” report published by access-management firm Delinea, two-thirds of companies have seen their premiums rise by more than 50% in the past year. Despite the cost, companies still feel the need to carry policies and are allocating more budget to pay for the increases.
The reason behind this rise in premiums and stricter terms is the high number of claims that companies have submitted to their cyber insurance providers. The report found that 80% of companies have submitted at least one claim since purchasing a policy, with 47% using their cyber insurance multiple times. These frequent claims have forced insurers to adjust their costs and premiums to the current market.
Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea, explains that insurance companies were not prepared for the high impact and high frequency of cybersecurity incidents. However, with better access to data and a maturing market, insurers are now able to make quantified risk-based decisions. This means that premiums are higher, but the coverage is sufficient to recover from a breach.
The Evolution of the Cyber Insurance Industry
The cyber insurance industry has undergone significant changes in recent years. Five years ago, insurance companies were seeing profits in this sector, with a loss ratio of only 32%. This means that insurers paid out $32 in claims for every $100 they earned in premiums. However, according to the “2022 Cyber Insurance” report released by the National Association of Insurance Commissioners (NAIC), the loss ratio has now reached 66%, which is on par with the profits made on homeowner’s insurance premiums.
To maintain profitability, the industry has increased premiums by 74% in 2021 and implemented stricter restrictions on coverage. Payouts are typically capped between $1 million and $3 million. The industry has shifted from relying on gut instinct to using incident data to make pricing policies, leading to quick adjustments in prices.
Meghan Hannes, Head of US Cyber and Tech Underwriting Management at insurance firm Beazley, explains that the economics of cyber insurance have gone through significant changes in the past five years. The rise of ransomware attacks in late 2018 put a strain on insurers, forcing them to increase prices rapidly.
Significant Gaps in Coverage
The evolving nature of the cyber insurance industry has led to an increasing number of requirements that could leave companies without coverage if not met. The Delinea report highlights that under many policies, coverage is void if a company fails to have security protocols in place, suffers an insider attack, or does not report the incident to the insurance firm first. Additionally, only about half of policies cover data recovery, incident response services, and the cost of impact on customers and partners.
Smaller companies with limited security budgets face more significant challenges in gaining coverage. The report shows that 28% of small business applicants fail to get coverage, compared to only 8% of large companies. Despite the difficulties, the majority of business leadership (81%) continues to allocate budget to pay for the higher cyber insurance premiums.
Insurance Leads to Better Security Measures
Despite the increasing costs and stricter terms, there is a compelling reason for companies to invest in cyber insurance. The process of applying for insurance, along with insurers’ requirements, has led companies to be more diligent about their security measures. The Delinea report reveals that 96% of companies purchased at least one new security solution to gain policy approval from their insurer.
Joseph Carson explains that insurance providers are maturing and demanding better security best practices from businesses before providing coverage. This has forced companies to adopt improved security measures, resulting in a more resilient stance against cyberattacks. Common requirements include reliable backup and recovery processes and multi-factor authentication.
Companies that take the time to prepare and go through risk assessments as part of the cyber insurance process are well-prepared when a cyber incident occurs. Their proactive approach ensures they can engage immediately with the resources provided by their cyber insurance, leading to a potentially lesser severity of the incident.
Editorial: Balancing Act for Companies in the Face of Rising Costs and Shrinking Coverage
The rising costs and shrinking coverage in the cyber insurance industry present a significant challenge for companies. On the one hand, they need insurance to protect themselves from the potential financial devastation caused by a cyber breach. On the other hand, the increasing costs and stricter terms may make insurance unaffordable or insufficient for their needs.
Companies now find themselves in a delicate balancing act. They must carefully assess their cyber insurance policies, taking into account the rising premiums and the decreased coverage. It is crucial for companies to understand the specific requirements and limitations of their policies. Failure to meet these requirements or limitations could jeopardize their coverage, leaving them exposed in the event of a breach or security incident.
Smaller companies, already facing budget constraints, are particularly vulnerable in this situation. The higher premiums and more rigorous requirements may make it difficult for them to obtain the coverage they need. This discrepancy highlights the need for insurance providers to develop more flexible and tailored options for companies of all sizes.
It is also essential for companies to recognize the impact that cyber insurance requirements can have on their overall security posture. The process of applying for insurance and meeting insurers’ requirements has led to improved security measures for many organizations. This is a positive development, as companies are forced to prioritize cybersecurity, implement best practices, and invest in the necessary tools and solutions to protect their data.
However, companies must not view cyber insurance as a replacement for robust cybersecurity practices. Insurance should be seen as a complementary measure, providing financial protection in the event of a breach, but not as a substitute for comprehensive security measures. Companies must take a proactive approach to cybersecurity, continuously assessing and improving their defenses, rather than relying solely on insurance to mitigate risks.
Advice: Navigating the Changing Landscape of Cyber Insurance
In light of the changing landscape of cyber insurance, companies should take several steps to navigate these challenges effectively:
Evaluate Policy Options:
Companies should assess their existing cyber insurance policies to determine if they provide sufficient coverage for their needs. It is essential to review the terms, limitations, and requirements of the policies to ensure they align with the company’s cybersecurity practices.
Engage in Risk Assessment:
Conducting a thorough risk assessment can help companies identify potential vulnerabilities and implement the necessary security controls. This not only strengthens their overall security posture but also demonstrates their commitment to insurers, increasing the likelihood of obtaining comprehensive coverage.
Invest in Cybersecurity Measures:
Companies should prioritize cybersecurity investments, including reliable backup and recovery processes, multi-factor authentication, and other essential security tools and solutions. Demonstrating a commitment to robust cybersecurity practices can help negotiate better coverage terms and premiums with insurance providers.
Seek Expert Advice:
Engaging with cybersecurity experts and insurance brokers can provide valuable insights and guidance for navigating the complexities of cyber insurance. They can help evaluate policy options, assess risks, and negotiate favorable terms with insurance providers.
Consider Alternative Strategies:
If the cost of cyber insurance becomes prohibitive or coverage is insufficient, companies should explore alternative risk mitigation strategies. This may include partnering with cybersecurity companies for incident response and recovery services or implementing more comprehensive internal security measures.
In conclusion, companies face significant challenges in reassessing their cyber insurance policies due to the rising costs and shrinking coverage. However, by carefully evaluating their options, engaging in risk assessments, investing in cybersecurity measures, seeking expert advice, and considering alternative strategies, companies can navigate this evolving landscape more effectively. It is crucial for companies to strike a balance between insurance coverage and comprehensive cybersecurity practices to protect their assets and mitigate risks in an increasingly digital world.
<< photo by Mikhail Nilov >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Fortifying Organizations: Exploring the Enhanced Security Capabilities of GitHub Enterprise Server
- Unveiling the Cyber Insurance Gap: Delinea Research Exposes Vulnerabilities
- The Growing Threat of Ransomware Attacks: Rackspace and the Cost of Cleanup
- The Balancing Act: Legacy System Users’ Uphill Battle Between Uptime and Security
