Companies need to reassess their cyber insurance policies as significant breaches and growing payouts have led insurers to demand higher premiums while granting less coverage, leaving many organizations unprepared in the event of a breach or security incident.
While two-thirds of companies (69%) have seen their premiums rise by more than 50% in the past year, companies still feel the need to carry policies, overwhelmingly choosing to allocate more budget to pay for the increases, according to the “2023 State of Cyber Insurance” report published by access-management firm Delinea this week. The reason for the continued rise in the cost of premiums and stricter terms: Most companies (80%) have submitted at least one claim to their cyber-insurance provider since procuring a policy, with 47% using their cyber insurance multiple times, the report found.
Overall, insurers have adjusted their costs and premiums to the current market, with breaches driving up costs, says Joseph Carson, chief security scientist and advisory CISO at Delinea.
“Insurance companies were not prepared for the high impact and high frequency of cybersecurity incidents,” he says. “Now that they have better data to make better-quality decisions and with the market maturing, they now can make quantified risk-based decisions which means the premiums are higher and coverage is sufficient to recover.”
The significant premium increases and shrinking coverage come as the cyber insurance industry continues to evolve. Five years ago, insurance companies saw only profits, with a loss ratio of 32% — meaning insurers only paid out $32 in claims for every $100 they earned in premiums, according to the “2022 Cyber Insurance” report released by the National Association of Insurance Commissioners (NAIC). Today, the rate stands at a less enviable 66%, yet still on par with what the companies make on homeowner’s insurance premiums.
The industry remained profitable by increasing premiums — by a whopping 74% in 2021 — and increasing the restrictions on coverage, including capping payouts typically between $1 million and $3 million, NAIC stated.
Overall, the industry has matured from making pricing policies based on gut instinct to using incident data, leading to quick price adjustments, says Meghan Hannes, head of US cyber and tech underwriting management at insurance firm Beazley.
“The economics of cyber insurance have gone through the maturity curve, which is an understatement, in the past five years, [starting with] the whole ransomware era … in late 2018,” she says. “Everyone was strained to the limit … and we had to increase prices very, very quickly.”
Significant Gaps in Coverage
Cyber insurance use to be treated as a catch-all, a way to protect against risk after an inevitable — as it seemed at the time — breach. Now, cyber insurers have an increasing number of requirements that could leave companies without insurance, if they are not met. Under many policies, cyber insurance coverage is void if a company fails to have security protocols in place (43%), suffers an insider attack (38%), or does not report the incident to the insurance firm first (31%), according to the Delinea report.
Overall, only about half of policies pay for data recovery, incident response services, and reimburse the cost of impact on customers and partners. Unsurprisingly, smaller companies with less budget for security had more trouble gaining coverage, with more than a quarter (28%) of small-business applicants failing to get coverage, compared to only 8% of large companies.
The vast majority of business leadership (81%) are granting budget to pay the higher premiums, but at a lower rate than in 2022, which saw almost every company (94%) budgeting for cyber insurance.
Prices should not increase at the same rate as in the past, says Beazley’s Hannes. “We’re starting to see prices land, where they economically make sense, where that insurer can successfully deliver a product that has stability and longevity,” she says.
Insurance Leads to Better Defenses
A good reason to take the plunge — or continue to pay — for cyber insurance is that the process of applying for insurance, and insurers’ requirements, has led to companies being more diligent about their security.
Nearly all companies (96%) purchased at least one new security solution in order to gain policy approval from their insurer, says Delinea’s Carson.
“Insurance providers are maturing with improved data and insights into what is required to make businesses more resilient against cyberattacks,” he says. “Their policies are now requiring better security best practices from businesses before they can even become insurable.”
Because the cyber-insurance process requires an in-depth onboarding process, companies can shorten the time by using a cybersecurity template, such as the NIST Cybersecurity Framework, to determine what controls should be adopted, Carson says. Reliable backup and recovery processes as well as multi-factor authentication are usually required by most insurance policies.
“Those organizations that take the time to prepare and run risk assessment as part of the cyber insurance process are one step ahead,” he says. “When a cyber incident occurs, it is of lesser severity because they are prepared and engage immediately with the resources provided by cyber insurance.”