Prices are rising everywhere. It’s doubtful however that anything has increased in price as much as cybersecurity insurance premiums in the past couple of years.
And unlike other price increases, it has nothing to do with inflation. Don’t associate rising insurance rates for rising profits either. While cybersecurity policies were profitable at one time, losses on these policies are steadily mounting for insurance companies which is why Lloyds of London made an announcement that is fueling speculation on the future of cybersecurity insurance. Lloyds of London currently holds nearly 20% of all the cyber insurance market. The company announced last November that the current model for cyber insurance is no longer sustainable and as a result, it is discouraging its syndicate from taking new cyber business in 2022.
What Cyber Insurance Covers
Before we analyze the challenging financial state of cybersecurity insurance, lets outline what a typical policy covers today. Policies typical cover the following costs:
- Forensic analysis to identify the attack source
- Costs to regain access or restore your data from backups or other sources
- Notification of clients and/or regulatory bodies
- Credit monitoring services for affected individuals
- Ransomware demands and specialists to manage ransom negotiations
- Legal costs and public relation services
Depending on the type of incident, the insurance company may provide experts to assist in dealing with the situation at hand to advise the client and identify ways to lower the cost of restoration.
Rising Costs and Rising Demands
On the surface, it might appear that policy rates are rising along with demand. Fitch Ratings estimates that demand for cyber insurance increased by 28% in 2022. During this period, it is estimated that U.S. businesses paid an average annual premium of $1,485 for a policy stipulating a liability limit of $1 million. This finding is based on the estimates provided by 43 insurance companies for a customer with $1 million in revenue that exemplified moderate risk levels. According to a survey of insurance brokers, more than half said that prices for their clients rose from 10% to 30% by the end of 2020. Only 15% reported no increases.
In 2021 these prices continued to grow. The average premium increased 25.5% during the second quarter of 2021 according to a survey from the Council of Insurance Agents & Brokers (CIAB). This is on top of an increase of 17% in the first quarter of the year. It is estimated that cyber insurance prices are increasing 50% year over year and that companies should expect that trend to continue going forward.
Rising Costs Equate to Mounting Losses
The rising costs of cybersecurity policies only tells half the story. While the demand and prices rose significantly, claims made against businesses with under 250 employees for instance increased 57% during the latter half of 2020. While the most popular claim involves email phishing, the real culprit for the increased costs is ransomware. In 2020, the total amount of ransom paid by victims was nearly $350 million, an increase of 311% over the previous year. The ransom however only represents a portion of the actual cost to the victimized organization. The average cost of remediation rose to $1.85 million in 2021 compared to $700,000 in 2020. Now consider the fact that ransomware accounted for 41% of all cyber insurance claims in the first half of 2020.
Frequent ransomware claims along with their burgeoning payouts is what is driving the insurance companies’ losses. According to an S&P Global report, loss ratios increased for the third consecutive year in 2020. Case in point, in 2016, 43 cents out of every dollar paid in cyber insurance premiums was spent paying on insurance claims or related costs. Prior to 2019, the loss ratio never went as high as 48 cents. In 2020 it ballooned to 73 cents. The truth is that cybersecurity insurance was created when ransomware attacks were conducted on individuals for nominal payouts. These policies were not developed for today’s ransomware environment.
Other Actions to Cut Costs by Insurance Companies
One of Europe’s biggest insurers announced last summer that it will suspend policies in France that reimburse victims for ransomware payments. The company justifies its decision by stating that the very act of paying the ransoms is encouraging more ransomware attacks to occur. As a result, the company experienced a 260% increase in the frequency of ransomware attacks amongst its policyholders with claims ranging from $1,000 to $2 million. In another example of cost cutting actions, AIG announced last year that it was reducing the limits of its cyber policies. These limits represent caps on the amounts that insurance companies will pay on a claim.
What Policyholders Can Do
Insurance companies are now starting to make demands from their policyholders concerning their security practices. Just as drivers with a clean driving record are illegible for auto insurance discounts, insurance companies are also incentivizing good cybersecurity strategies from their clients as well. For instance, policy renewals for some companies are being predicated on the enablement of multifactor authentication (MFA) for remote access. In fact, MFA is one of the most frequent requirements of insurance companies today. Some other requests include
- Backups of your network
- Incident Response Readiness – written incident response plan (WISP), compromise assessment, training
- Patch Management
- Regular Penetration Testing
- Risk Assessment to establish Duty of Care
- Compliance Requirements Management (PCI DSS, HIPAA, Privacy, Client contracts)
Insurance companies are also conducting background checks to research a company’s cyber incident history. In addition to the frequency of reported incidents, insurers want to find out how a company dealt with a prior attack. In some cases, insurance companies are even working with clients to enhance their existing risk management strategies to reduce their risk factors. These collaborative efforts benefit both parties as it helps reduce premiums for the client while minimize risk exposure for the insurer.
Navigating through the Insurance Process
Finding the right cybersecurity policy can prove a challenging process today. In order get an ample policy for your needs without breaking the bank requires due diligence on your part. This goes beyond getting quotes from multiple insurance providers. It means reviewing your cybersecurity strategies and controls that insurance companies are requiring today. An independent cybersecurity team can help substantially in preparing your organization for this.
Understanding the requirements for your specific security and risk profile is key for getting proper coverage. HALOCK can help you review your business environment and establish reasonable security based on the Duty of Care Risk Analysis (DoCRA) for your network. Start the process for effective and efficient security and insurance with these top considerations when pursuing cyber insurance.