"Everybody says it, so it must be true" is an example of the bandwagon fallacy. In the context of cyber insurance, the argument goes that everyone is a potential victim of an attack, thus everybody must have cyber insurance. In reality, not every organization can afford to buy cyber insurance, and some organizations don't qualify for a policy even if they want one.
Having cyber insurance used to be as simple as purchasing a prepackaged cyber insurance policy, similar to the process of buying a home or car insurance policy. But with the explosion of ransomware attacks, the industry has been in disorder as insurance carriers and brokers process claims for damages caused by ransomware. In response to soaring claims, carriers are reducing the amount of coverage offered per policy, charging higher prices for less coverage, imposing much tighter rules on which companies can qualify for coverage, and canceling policies for companies that don't meet the minimum requirements.
Policy coverages are significantly lower than they used to be — in some cases dropping from $10 million to $5 million and often lower, and many companies cannot get enough, says J. Andrew Moss, a partner at Reed Smith LLP's Insurance Recovery Group.
"You have to fill in the gaps, and that's very tough because capacity has just been low or companies are priced out from buying as much insurance as they would ideally like to buy," he adds.
Coverage Required, But Out of Reach
For victims of a ransomware attack or a hacking attack where private information was disclosed, it can be difficult to obtain new policies. "What we usually recommend is that they undergo what we call a holistic review of their current insurance coverage," says Moss. The review includes general liability coverage, kidnap and ransom, property, first-party property insurance, and errors and omission, if they're in a professional services organization.
Some contracts and compliance regulations require that a company have a cyber insurance policy — posing a quandary for those companies that lose coverage. Without coverage, the company will find itself out of compliance or be vulnerable to a partner lawsuit for violating the terms of an existing contract. Getting some kind of cyber insurance policy often is mandatory, even if the company has other policies that could cover many of the losses a company might experience.
"It's not a comfortable time to be in business with respect to cyber-risks," says Daniel J. Struck, a partner at the law firm Culhane Meadows PLLC.
Characterizing today's cyber insurance market as being similar to the Wild West, Struck says he would not be surprised to see "relatively low-cost cyber insurance that doesn't cover much, but at least it provides the certificate for a contractor." He likens such "skinny" cyber insurance offerings to the low-cost, low-coverage auto insurance policies that allow drivers to meet US state auto insurance mandates.
Bare Minimum Provides a Fig Leaf
One benefit of a basic policy is that it could permit more organizations to obtain affordable coverage, eliminating the possibility of losing insurance and going out of compliance or violating contractual obligations.
Curtis Dukes, executive vice president and general manager for security best practices at the Center for Internet Security (CIS), notes that most corporate cyber insurance policies are negotiated by the corporate general counsel or outside counsel, and virtually all business policies are different. Underwriting these policies can take up to three months, he adds, due to their complexity and nonstandard clauses.
CIS offers a free self-assessment tool that helps users understand the financial impact of various aspects of a breach, including costs related to productivity, response, replacement, legal, competitive advantages, and reputation. The tool helps companies assess, report, and propose changes in cybersecurity controls based on a return-on-investment analysis, the organization says.
Because all states have their own insurance commissioner and rules, Dukes suggests that companies lobby the National Association of Insurance Commissioners directly to develop national, standardized policies that would be easier for organizations to understand and manage, as well as set minimum requirements for a basic policy. A copy of the NAIC's 2022 Report on the Cyber Insurance Market can be found here, with its discussions on cyber insurance, committee actions, and resources located here.