Click here to listen to this article via the BreachRx Blogcast
For years, the insurance industry has been struggling to come to grips with the threat of cyberattacks. Initially, the insurance industry was slow to respond to create offerings in this area. However, this is starting to change, and more insurance companies are offering cyber insurance policies. In fact, new tech-forward insurance companies are gaining prominence that bundle required and optional-use technologies with their policies.
Unfortunately, amid a rise the number of high-profile attacks in the last couple of years, cyber insurance policies are becoming increasingly expensive, with premiums rising at an alarming rate. In some cases, insurers are also reducing coverage, raising the bar on requirements for coverage, and excluding categories of attacks to keep rates and claims down.
Many companies are beginning to feel the pinch.
Does your IR plan help protect legal privilege and cover your cyber insurance requirements?
Find out today and get your IR plan updated to include them and more!
Why Is Cyber Insurance Needed?
As companies around the world continue on the path to increased digitization and even further reliance on technology, businesses face new risks and liabilities. With ever-increasing sensitive data being stored, transmitted, tracked, and shared online, businesses have been more and more vulnerable to cyber attacks. And we’ve seen the result in the news: data breaches, disclosure of personal and health information, and ransomware and other operational impacts.
Given the dearth of cybersecurity talent, companies typically struggle to build and retain teams of professionals with the diverse set of skills and backgrounds needed to respond to events like these. This is one reason why it’s important for businesses to have cyber insurance, which can protect them from the financial damages that can result from attacks and amplify their ability to get help when needed. And the need for cyber insurance is increasing.
Although the cost of cyber insurance can be high, the protection it provides can be vital. Even small incidents can have a devastating impact on a business, causing lost revenue, damaged reputation, and even legal liabilities. For individuals, these attacks can lead to the loss of personal information, identity theft, and financial fraud.
Cyber insurance can cover a variety of expenses, including the cost of investigating a data breach, restoring lost data, and providing credit monitoring services to affected customers. It can also cover the cost of legal fees and damages that may be awarded in a lawsuit.
The Rising Cost of Cyber Insurance
As the frequency and severity of cyber incidents continues to rise, the need for cyber insurance will likely increase as well. However, insurance companies are beginning to fully understand the risks involved with cyber insurance and are adjusting their rates to limit their losses from a few brutal years of ransom attacks and breaches.
According to the Wall Street Journal, “direct-written premiums collected by the largest US insurance carriers” increased a staggering 92% year-over-year in 2021, largely due to higher rates rather than companies increasing their coverage.
They also recently moved to exclude losses arising from war, and state-backed cyberattacks. Given the tendency of breached companies to claim they were hit by a “sophisticated nation-state attack” as a core reason why they were unable to stop being breached, CISOs and GCs in the midst of incidents may now face two murky choices: reduce the risk of customer and shareholder lawsuits by attributing their attack to a nation state or keep their options open for a successful claim by attributing otherwise. Further, given the murky nature of attribution of attacks, this will very likely lead to lawsuits between carriers and the insured.
As companies face increasing cyber insurance premiums, many are beginning to re-evaluate their risks and explore alternative risk management strategies.
For example, some companies are self-insuring. This common risk management strategy companies sometimes take to plan to use their own funds to pay for losses, rather than purchase insurance, can be effective for companies that have a strong financial position and are able to weather the operational and brand impacts of incidents and breaches. RSM reports a drop from 71% to 57% of larger mid-market companies carrying policies, with “countless stories about companies being turned down, given their risks and their overall profile.”
Additionally, carriers are increasingly requiring those they insure to improve their cyber security programs to reduce their risk. In their view, the investments in stronger cyber security defenses will raise the bar for attackers trying to penetrate their systems, which will, in turn, reduce the financial impact of a cyber attack and avoid the need to file an insurance claim.
Improve Your Defenses to Secure Cyber Insurance
How can you improve your data protection program, make it harder for attackers, and increase the likelihood your business will be able to get adequate insurance coverage?
First, establish a solid cybersecurity foundation. A great place to start is the Center for Internet Security (CIS) Critical Security Controls. Now at version 8, CIS has done a fantastic job transforming and modernizing the SANS Top 20 that CISOs used for decades to build up their programs. CIS categorizes controls like “Data Protection” and “Incident Response Management” and break each down into several safeguards that you can align to for building out your program. Demonstrating your cybersecurity program is based on these controls is a great way to demonstrate cybersecurity maturity to your leadership and to potential insurers.
Second, many insurers will directly ask if you’ve built and are maintaining an incident response program. Given that, run a tabletop exercise at least once a year using a real-world scenario that’s realistic and relevant to your business. Exercises test your security team’s ability to respond to incidents, helps your leadership understand what types of decisions they’ll face during a real incident, and identify areas needed to improve your processes and plans. Exercises also show insurers you’re serious about your program. As a further incentive, Ponemon this year found that practicing saves businesses $2.66M for a single incident.
Third, get compliant. For example, the American Institute of Certified Public Accountants (AICPA) built out a cybersecurity risk management reporting framework known as the System and Organization Controls Trust Services Criteria (SOC 2). Your compliance with these criteria can be verified by an outside auditor, who will create a report that you can provide to those to which you need to demonstrate a strong security program, including potential insurers. SOC 2 even calls out considering the use of insurance to “mitigate financial impact risks.” Given the third-party nature of SOC 2 and similar frameworks like ISO 27001 as well as their focus on the same kinds of processes insurers are looking for, they’re also a strong option to assist in procuring insurance.
With the insurance market in flux, nothing is a guarantee, but these three tactics will greatly increase the likelihood insurers will cover you, and you’ll be more secure to boot.
The Future of Cyber Insurance
The cyber insurance market is expected to grow significantly in the next few years, and the cyber insurance industry is constantly evolving to meet the ever-changing needs of businesses and consumers facing waves of attacks. Looking to the future, it’s clear that cyber insurance will continue to grow in importance. Businesses will increasingly purchase cyber insurance policies to protect themselves from the financial damages that can result from incidents, data breaches, and other attacks. And as the insurance industry continues to adapt, we can expect to see even more innovative and comprehensive cyber insurance products hitting the market.
Whatever route companies choose to take, it’s clear that cyber insurance has become a necessary part of a cyber risk and resilience program. As the threat landscape continues to evolve, companies must be prepared to face the increasing costs of cyber insurance. While no business is 100% safe from attacks, cyber insurance can help to mitigate the financial damages that can result from an attack. Security investments such as transforming incident response made in parallel will increase your to find and maintain insurance as well as use it when needed, all while raising the bar for attackers and increasing the resilience of your business to prevent attacks in the future.
While no business is 100% safe from attacks, cyber insurance can help to mitigate the financial damages that can result from an attack. In tandem security program improvements will increase your ability to get insurance and make a claim, all while raising the bar for attackers and increasing the resilience of your business to prevent attacks in the future.
Need help with an incident response strategy?
Leverage the BreachRx platform to build an actionable incident response plan today!