It seems a lot of things are getting more expensive these days. Well, if you are shopping for cyber insurance, get ready for another sticker shock, especially if you are about to renew an existing policy purchased more than two years ago. Here are three discouraging truths about cyber liability insurance right now:
- Premiums are going up.
- Payouts are becoming stricter.
- It’s more difficult to qualify for it.
The fact is that cyber liability insurance premiums climbed double digits in 2020 and are continuing to accelerate upwards. Global insurance pricing has increased over a twelve-month period by an average of 32% as of June 2021. Unfortunately, prices haven’t peaked. According to Standard & Poor’s Corp, cyber insurance premiums are expected to increase 20 % to 30% per year on average in the near future for this $5 billion annual market.
Mounting Losses Lead to Higher Premiums
Insurance companies are in the risk allocation business. To remain profitable, the premiums they charge must exceed the amount of their payouts and included expenses. Historically, insurance companies have raised property insurance premiums in a given area after mounting losses due to heavier storms. It’s the same thing with cyber insurance. The past 18 months have seen massive hurricane-like season of devastating cyberattacks. With the proliferation of ransomware attacks that are up yet another 151% for the first half of this year, cyber insurance companies have been taking it on the chin lately. Consider all the data breaches and far-reaching supply chain attacks over the past year or so and you start to appreciate the scope and impact.
Losses are mounting. The average paid loss for a closed standalone cyber claim rose from $145,000 in 2019 to $358,000 in 2020. The industry statutory direct loss plus defense and cost containment (DCC) ratio for standalone cyber insurance rose sharply in 2020 to 73% compared with an average of 42% for the previous five years (2015-2019). While it’s easy to put the blame on insurance companies, these higher premiums are necessary and are still not making up for the huge losses they have experienced over the past year or so.
Why you still Need Cyber Insurance
While paying more for lesser insurance can be disheartening, don’t let it become a reason to procrastinate the purchase process. Cyber insurance is a necessity today as general liability policies rarely cover the expenses involved in a security incident. An adequate policy usually covers the liability costs incurred by a data breach or other disruptive cyber incident. In the event of a breach involving personal data of third parties, you can expect to pay for the following:
- Breach notification to affected parties.
- IT forensics and other investigative costs.
- Data restoration and verification.
- Outside public relations expertise.
- Credit monitoring and identity restoration.
Plus, there are the associated legal expenses that often come down the road. These include legal defense costs as well as fines or penalties involving issues of compliance and regulatory measures. Many businesses are not aware of the wide-reaching impact of that compliance regulations (such as GDPR and CCPA) have on organizations that reside outside of those jurisdictions, which include litigation costs relating to class action suits or settlements. Having insurance can ease the process of recovery and business resiliency, as they are prepared to address complex scenarios.
Because ransomware attacks have become so frequent, cyber insurance companies will often supply a negotiator to deal with the perpetrators and settle upon a ransom amount if that is the decided course of action. They even consider the cost of network interruption which can negatively impact profits from a breach or attack. A cyber incident can include a massive system failure as well that could hamper a business from fulfilling their contractual obligations. Even disruptive events involving human error can be covered.
And the attacks are advancing. Gartner is warning companies that in only a few years, organizations will have a lot more to worry about than just extortions and compromised data. Gartner states that by 2025, cyber attackers will have weaponized operational technology environments to actually perform commercial and reputational vandalism, or worse – the ability to harm a human life. They predict that the financial impact of these attacks will reach $50 billion by then and that CEOs will be personally liable for such incidents.
Qualifying for Cyber Insurance
Like any type of insurance, an insurance company doesn’t have to insure you. In the same way that a life insurance company is hesitant to open a new policy for a stunt daredevil that is also a heavy smoker, a cyber insurance company doesn’t want to cover a company that has made minimal effort to protect itself against threats. Cyber insurance companies are tightening the reigns and denying coverage for organizations that do not meet the minimum-security requirements. Insurers today want their customers to have proven security and backup strategies in place with procedures that enforce the patching and updating of systems and software.
Cyber Insurance and Remote Work
Like any insurance policy, you must read the fine print. This is especially important today with so many companies having implemented remote work strategies as of late. For instance, an insurer may not cover computers that reside off premise in the same way as they do on-premise machines. What about system failures that relate to the home network of an employee, or a highly impacting error performed by a senior employee working from home? Policies are very precise in what they cover. Scrutinize the coverage details in your specific working environment.
Cyber insurance is complicated and expensive today. It can be hard to obtain and hard to understand. Not all cyber insurance policies are created equal either. That’s why you need someone that can sit down with you to fully understand the process, someone that knows how to garner you the exact policy that fits your needs.
There are many security nuances to consider when getting cyber insurance. To help start your planning, here is an overview of 12-steps for cybersecurity compliance by The Independent Insurance Agents & Brokers of America, Inc. Agents Council for Technology (ACT).
- Risk Assessment – Evaluation of an organization’s risks that could have a negative impact on its business operations and how to mitigate those risks through security controls. An ongoing risk management program provides continuous maintenance and insight on your risk profile and how to enhance your security.
- Documented Security Policy – A company’s plan and protocols to continuously protect their data, network, information, and other assets.
- Incident Response Plan (IRP) – An organization’s approach and response to a security breach on minimizing impact and recovery time. Explore an ongoing program that gets in front of any potential cyber security threats or attacks. You can be response ready with an Incident Response Readiness as a Service (IRRaaS) program.
- Security Training and Monitoring – Regular training and review of employees that manage data or access to an organization – physical or electronic. This can include Security Awareness, Incident Response Team, or First Responder training.
- Penetration Testing & Vulnerability Scanning – Ongoing testing if security controls are effective against vulnerabilities. Consider a recurring Penetration Testing program to assess your safeguards throughout the year for a proactive security approach.
- Access Control Protocol – Ensuring only authorized parties have access to sensitive information such as ePHI or PII.
- Documented Security Policy for Third-Party Service Providers – Policies and procedures on how third-parties manage information of a client’s systems and information.
- Encryption of Non-Public Information – Encoding data to only be ready by sender and intended recipient.
- Designation of Chief Information Officer (CIO) or Executive
- Audit Trail – Step-by-step history of a process to confirm good internal controls.
- Multi-Factor Authentication (MFA) – Security system that requires more than one method of authentication to verify a user’s identity.
- Procedure for Disposal of Non-Public Information – Process on properly disposing of information and documents.
HALOCK can help. We understand cyber insurance requirements as well as the needs of our clients. Our experience subject matter experts can not only help match you up with the right policy but can help create a security profile and strategy to reduce your risk as well as your insurance premiums. Let us take the complexity out of the process, so you can focus on your business and know that you are protected.