Navigating a Changing Cybersecurity Insurance Landscape
So, you’re in the market for cybersecurity insurance? Well, not unlike currently being in the market for a used car, you are going to find your options to be less enticing and more expensive than in the past. You will likely find it much harder to drive off the lot happy with your purchase.
Estimates are that cybercrime rose 600% during the COVID-19 pandemic. As organizations rushed to continue operations in the face of work from home mandates, they were often forced to increase the number of endpoint devices connected to their networks. This ballooned the size of networks and the potential attack surface for cybercriminals. The criminals took advantage. Damages from cybercrime is expected to reach $6 trillion this year, says BlackFog. According to Sophos, in 2021, 37% of all businesses and organizations have been hit by ransomware.
Ransomware has certainly grabbed the headlines recently. High-profile attacks on Colonial Pipeline, JBS, and DC Police Department garnered national and international attention, and at least one of these attacks had people hoarding gas at the pump. Schools, municipalities, banks, hospitals, television networks, and any other type of organization you might dream up has been similarly forced to navigate the choppy waters of ransomware and the digital pirates behind the crimes.
Cyber loss ratios have skyrocketed. By the estimates of Risk Placement Services losses often far exceeded actuarial estimates, jumping from 44.8% in 2019 to 67.8% in 2020. Meanwhile, increased regulatory and reporting concerns and requirements have upped the stakes when it comes to a data breach, especially one involving personally identifiable identification (PII).
All of this has caused considerable turmoil in the cybersecurity insurance market. Because the financial demands from cybercrime are mounting, those who are willing to take on the risk of paying such demands is dwindling. This is also causing increasing insurance rates for organizations coupled with carriers requiring more stringent requirements for coverage.
Confusing all of this is the fact that the market for cyber insurance is growing. According to the RSM Middle Market Business Index 2021 Cybersecurity Special Report, 65% of respondents use a cyber insurance policy for protection against internet-based risks, which is a 3% increase from last year. Market forecasts estimate that the compound annual growth rate (CAGR) of the market is expected to register 25.4%, reaching $17.55 billion from $4.52 billion in 2021.
So where does this leave leaders, as we analyze the current state of the cybersecurity market?
Less Providers/Coverage: The number of insurers carrying cyber insurance remains quite small with 10 U.S. insurers accounting for 70% of the premiums written in the market, estimates AdvisorSmith. Many of these insurers rely on reinsurers to support claims. The cybersecurity reinsurer market is even more concentrated. Four reinsurers account for more than 60% of premiums, according to Harvard Business Review. This all would suggest an increase in risk for cyber insurers will reduce capacity and insurers willingness to provide coverage or only provide coverage at a higher premium.
Higher Premiums: Standard & Poor’s estimates that cyber insurance rates will increase 20%-30% per year on average in the near future. This is due to increased claim frequency, the severity of claims, and the uncertainty of insuring cyber risk. An additional reason for higher premiums is that organizations are only beginning to take the digital threat to their data and bottom-line seriously. Leaders, generally, are only starting to recognize that cybersecurity is not an IT line item but a critical piece of operations that can provide business value because it can build trust between a business and its customers. As cyber incidents continue to rise, so too will premiums as well as the requirements that are necessary to meet the minimum threshold to procuring cyber insurance.
More Detailed Underwriting Process: The underwriting process is going to become a lot more invasive for organizations hoping to collect cyber insurance. Providers are going to want an increased amount of information about organizational cybersecurity practices. A process that used to take hours may now take days. Additionally, providers will want to ensure you are adhering to certain specific best practices such as multifactor authentication across the organization, regular backups, a patching program, and regularly scanning for vulnerabilities, or completing a periodic penetration test. Extensive questionnaires once reserved for large organizations, and resembling vendor security assessments or government RFPs, will trickle down into the upper-middle and middle-market segments forcing a greater burden on these organizations to adhere to more stringent cybersecurity practices to garner coverage.
Here are ways that leaders can navigate an increasingly demanding arena:
Consult an Expert: Leaders should have an expert review current cybersecurity insurance for any potential exclusions they may be unaware of, red flags that might exist, and ways they may be able to renegotiate for a better agreement. Additionally, all potential cybersecurity insurance policies should be inspected by an expert to ensure that the policy does not unfairly disadvantage the organization in favor of the carrier. While it is important to have a legal review of such a document to sure the language and clauses adhere to organization standards, it is also important to involve someone with technical expertise.
Practice Proactive Cybersecurity: In the past, organizations have been focused on reactive cybersecurity. This is focusing on how to respond to an event after it has occurred. Today, this is not going to cut it. Organizations must move to a proactive cybersecurity response. It’s not if you will be impacted by a detrimental cyber incident…but when. Even if you have the strongest security in the world, you will be helpless when a vendor bleeds your information. That’s why it is important to assume these incidents will occur and proactively prepare for them. One critical way to do this is to prepare incident response playbooks. Playbooks help your team stay cohesive when an event occurs. This way, everyone understands what they are responsible for, and everyone is working in tandem to achieve the same outcome. During an event, moments are critical. You don’t want to waste them bickering about how to respond. You want to have your response dictated beforehand so that everyone in the organization is rowing the boat in the same direction instead of looking for a life raft.
As our reliance on digital tools increases, so too will our risk from cybercrime. This will only make cyber insurance more necessary while also being harder to get. Organizations will need to be proactive about improving their cybersecurity practices. This includes building digital event response playbooks, conducting periodic penetration testing and vulnerability scanning, while implementing multifactor authentication, creating regular backups, and enabling audit logging. This is what organizations can do to prepare themselves for mounting security requirements for cyber insurance. It will also be necessary to be ever diligent about inspecting insurance policies for clauses that might unfairly advantage the insurance carrier over you. This is where consulting someone who is an expert in both insurance and cybersecurity will be paramount.