Marcus Chambers, Head of Cyber Security services at Evalian Limited, explains what cyber insurance is and whether your business needs it.
Data is the lifeblood of the modern organisation. Cloud applications, electronic communications and connected devices are now essential to business operations in most companies. They are crucial to customer experiences, employee communication and productivity, business development and growth.
Technology comes, though, not without risk. With more data comes more responsibility – and data breaches are now a significant concern for companies of all sectors and sizes. To combat the threat of security incidents, more and more companies are turning to cyber insurance, which can help to reduce the impact of a data breach. In fact, the cyber security insurance market is expected to reach $17.55 billion in 2033, up from just $4.5 billion in 2017.
What is cyber insurance?
Conventional business insurance policies were designed long before the digital era. While these policies cover incidents such as commercial general liability or errors and omissions, they do not account for data security threats.
As the risks of data loss, theft, and downtime heightened, many insurers began to incorporate cyber-related language into their corporate policies or introduce standalone cyber insurance. Such policies cover businesses against data breaches, ransomware attacks, phishing scams and supply chain attacks.
Cyber insurance usually comes in two forms: first-party coverage or third-party coverage. First-party coverage safeguards the insured client from possible losses caused by a data security incident. On the other hand, third-party coverage provides liability coverage for companies responsible for a client’s security.
The changing nature of cyber insurance
Cyber insurance can certainly be an asset to one’s business. Still, organisations must be aware the market is currently undergoing a seismic shift making insurance more difficult to obtain and, second, making such cover more expensive. To exemplify this point, we only need to look at recent announcements from sizeable cyber insurance players such as AIG and AXA. AIG raised its prices by nearly 40%, while AXA made an agreement to no longer offer ransomware-related insurance policies in France.
The reason for these shifts can be traced back to the fact the cyber insurance market is relatively young. Cyber insurance has only come to fruition in the last 20 years, meaning there is a lack of historical data and insights insurers can use to predict steady premiums.
We must also remember the cyber landscape is continually evolving. Threat actors constantly change their tactics. This, in turn, increases insurance premiums. For example, between 2019 and 2022, SonicWall analysis indicates ransomware attacks increased by 170%. According to Sophos, the cost of remediation is also rising, from $700,000 in 2020 to $1.8 million in 2021.
Cyber insurance players often make losses as attacks grow in their sophistication and success rate. Hiscox, for example, noted insured cyber losses of $1.8 billion in 2019, up 50% year over year.
With current policies no longer fit for purpose, insurers are adapting their approach – making their policies more stringent and harder to attain. We are also seeing insurance providers put more emphasis on prospective clients bolstering their security approach before seeking cover. To attain coverage, businesses will likely have to fill out detailed information security questionnaires, or even undergo an audit, to receive a quote.
Should I invest in cyber insurance?
While the additional investments surrounding cyber insurance premiums may be off-putting to some organisations, we must remember putting adequate cybersecurity measures in place will reduce the likelihood of a successful data breach. It will also reduce the cost of your cyber insurance premium by lowering your risk profile.
For organisations that already have cyber insurance cover, it would be best to speak with your insurance provider to ensure the scope of your policy is not subject to change. You should also gain clarity on the exact scenarios in which you will be protected and the requirement to notify your insurer in the event of an incident.
Looking ahead, we assess the cyber insurance market will continue to evolve and mature. Insurance providers will put more and more responsibilities on their clients to have robust security measures in place before offering protection. They may even mandate certifications – like Cyber Essentials or ISO 27001.
Ultimately, if your company is interested in obtaining cyber insurance, your best step forward is first to review your internal security controls. By focusing on robust, end-to-end protection, you can improve your security posture, reduce your susceptibility to security incidents and decrease your cyber insurance premium.