The cost and occurrence of cyberattacks continue to rise.
According to the Identity Threat Research Center (ITRC), there were 17% more publicly reported data breaches through Sept. 30, 2021, than in all of 2020. IBM’s "Cost of a Data Breach Report" found the cost of data breaches increased from $3.86 million in 2020 to $4.24 million in 2021, the highest average total cost in the report's history.
As the frequency, scale, and severity of cyberattacks grow, one industry now finds itself in a tricky situation: cyber insurance.
The Impact of Attack Surges on Cyber Insurance
In 2016, just 26% of insurance clients had cyber coverage. That number rose to 47% in 2020, according to a US Government Accountability Office (GAO) report. But the demand for cyber coverage isn't the only thing soaring.
At the end of 2020, insurance prices jumped anywhere from 10% to 30%. In the third quarter of 2021, the average cost of cyber insurance premiums climbed a record 27.6%.
If the rates continue to rise, companies might decide it's not worth the cost. That is, if insurers continue to cover their industry.
How Insurers Are Handling the Changing Cyber-Threat Landscape
Aside from raising premiums, some insurers are reducing coverage for specific industries, including education and healthcare, limiting how much cyber coverage they offer or restricting contract terms. Some are extending standalone policies for cyber-risk rather than bundling it with wider coverage.
After 41% of cyber-insurance claims pertained to ransomware attacks in the first half of 2020, many insurance companies began capping how much they'll reimburse for these attacks. In some cases, they're shutting down reimbursements entirely. As of May 2021, global insurance company AXA will no longer provide ransomware crime reimbursement in France — a response to officials' growing concerns over ransomware damage in the country after over $5.5 billion in total losses last year (second only to the US).
Insurers also being more meticulous about what security controls prospective clients are using. Simply taking the company's word for it is no longer good enough.
Along with making customers fill out a standard questionnaire, many insurers are performing stringent examinations to ensure certain key controls are in place. Multifactor authentication (MFA), securely tested backups, and network logging and monitoring are just a few important criteria.
Ultimately, insurance companies must determine if the risk is worth it.
Is Cyber Insurance Fueling Ransomware Attacks?
Even if you can afford and qualify for coverage, you should know that cybercriminals like to attack companies with cyber insurance. According to a recent survey, these organizations are over two times more likely to pay ransoms than those without it.
Hackers even find out the value of potential victims' coverage by breaking into the insurance companies first so they can demand the highest possible ransom. Once they've extorted organizations with cyber insurance, they turn their attention to the insurers and go after them.
This puts insurance companies in an unenviable situation. Not only are they potential victims themselves, but the business is less fruitful than in years past. Cyber insurance payouts are now above 70%, which is the break-even point, forcing insurance companies to make tough decisions.
How to Build Trust in an Era of Cyberattacks and Digital Disruption
More businesses will seek cyber insurance as mounting concerns over cyberattacks persist. It can be a safety net, but in addition to the higher premiums, more stringent criteria, and the target it puts on your back, insurance isn't enough to ensure overall resiliency.
Whether you choose cyber insurance or not, make sure you have the security basics covered.
The use of strong passwords and MFA must be mandatory for all employees. Make sure you're patching all systems and keeping security software up to date. Ingress and egress filtering are a must, as is network segmentation. You should also have protocols in place to recover data after a successful cyberattack.
Run data breach exercises, educate employees on the latest threats, and test your plan regularly to determine vulnerabilities and make changes as needed. There's no such thing as 100% secure. But having these measures in place will give you peace of mind and should make it easier to obtain cyber insurance as well.
What's Next for Cyber Insurance?
The threat landscape will continue to shift, and insurance companies will adapt. Having cyber insurance is a good idea if the costs make sense — it could even wind up being the difference between going out of business and staying afloat. However, it shouldn't be your first course of action.
Focus on the security fundamentals, not only to qualify for an insurance policy, but to ensure it remains insurance and not your first and only line of defense.
Your business's overall resilience posture is ultimately in your hands. And that's where you want it to be.