Cyber Insurance is Becoming More Complex

Plans are harder to get, premiums are up, and the industry is changing 

Nearly every aspect of our daily lives is digital. From email servers to healthcare portals, and from streaming services to mortgage applications, the digital landscape is moneyed, crowded, and dangerous.

Headlines continue to be dominated by news about scams, phishing attempts, data breaches, and massive ransomware attacks. In response, over the past years, cyber insurance has become a necessity for many businesses. Companies across all industries are looking to protect themselves legally and financially in the case of a cyberattack.

Mike Wilson points out in Forbes that the growing demand, coupled with increasing payouts, is driving the cyber insurance industry to rethink how and why they provide insurance packages, including cyber assessments and responsive premiums.

These changes mean cyber insurance is becoming more difficult to obtain if your company hasn’t taken extensive action to bolster defenses already. Companies who do already have cyber insurance may be finding they can’t simply renew their plans; both requirements and premiums are increasing. For context, direct-written premiums for cyber insurance collected by U.S. insurance carriers in 2021 grew by 92% year over year.

What does Cyber Insurance do? 

Cyber insurance policies are multifaceted. They help protect organizations legally and financially in case of a breach or attack. For example, a company might seek liability coverage over a breach leading to the leaking of personal or sensitive client information. Or an organization might seek a financial bail-out in the case of a ransomware attack where they have to pay to retrieve stolen data.

What’s changing, practically speaking? 

1. Plans and premiums are becoming more expensive.
   • The cost of cyber insurance premiums has soared as the number of attacks, and the severity of attacks, continue to grow. In the U.S., prices in Q2 2022 increased 79% compared to 2021. Essentially, the stakes are higher for everyone, and even companies that have been approved before might find it much more expensive to renew their policy.
2. Requirements are increasing.
   • Depending on the company, taking out a cyber insurance policy will require certain criteria to be met, and not everything will be covered. The process of securing cyber insurance will be increasingly arduous, especially as businesses themselves scramble to catch up with contemporary best practices.
   • Your application for cyber insurance will likely be denied unless your company can prove you have strong defenses already in place. This will entail everything from basic cyber hygiene controls, multi-factor authentication, stronger password policies, a plan of action in the case of an attack, and backup procedures. Following NIST security guidelines will likely become essential to obtain and retaining coverage.
3. Certain types of attacks aren’t covered.
   • It won’t come as a surprise that as governments, school districts, and countries themselves come under cyber attack, insurance schemes are changing. Some companies have announced that moving forward, global insurers “must exclude nation-backed attacks” from their policies. In the U.S., an act of war is no longer covered.
4. Audits will happen more frequently.
   • Due to increased risk and higher monetary stakes, businesses will likely be audited before a policy is underwritten, and perhaps on an ongoing basis. Audits are performed to determine the level of risk, and directly affect the resulting premium.

It’s a challenging time for businesses. A recent Forrester report estimated that a data breach costs the average organization $2.4 million. However, only 55% of survey respondents currently have cyber insurance, and as it becomes more obligatory, the process is becoming more complex.

As companies adjust to a) the need for strong, full coverage cyber insurance policies, b) more expensive premiums and c) increasing cybersecurity requirements to qualify for a plan, Wilson is right: the entire industry is in flux.