Cyber liability insurance is gaining in popularity as a tool to help companies hedge the financial losses caused by the rising threat of cyber incidents. However, recent changes are making cyber coverage harder to buy. What is the state of cyber liability insurance? Do you need it? Can you afford it? Can you even get it?
A brief history of cyber liability insurance
Cyber liability insurance began gaining popularity in response to the dot-com bubble in the 1990s. Early policies only covered damage to third parties, offering no protection to the insured. However, coverage quickly evolved to provide first party protection, providing a layer of protection for companies against unauthorized system access, computer viruses, and data loss.
Since then, the market has grown steadily and changed radically. The scope and breadth of cyber risks facing businesses today could hardly have been anticipated 25 years ago.
Demand, losses, and premiums are all on the rise
The demand for cyber insurance coverage is skyrocketing. At the same time, insurance providers’ losses are growing. High demand in combination with high payouts lead to increased premiums. Businesses report premium hikes of 50% and even 100% year over year.
Insurance payouts are rising in large part because of the increase in ransomware attacks. In the past, the biggest cyber threats were data breaches. Without minimizing the devastating consequences of a data breach, losses associated with a breach tend to be spread out over time, rather than as a single, sometimes multi-million dollar, ransomware payout.
Insurance companies are well equipped to handle risk. Their actuaries are experts in forecasting longer-term payouts. But increasingly, the losses are single events where the full loss coverage is reached in a single day — a model insurance companies do not embrace.
New mandates
Naturally, insurance companies want to mitigate risks by recommending — or even mandating — that their insured take the proper precautions to protect against lost. The newest and most significant of those mandates is the requirement for Multi-Factor Authentication (MFA).
In early 2020, President Biden signed an Executive Order intended to deter cybercrime. The Order mandated all federal agencies use Multi-Factor Authentication. Insurance companies rapidly took the opportunity to require their insureds have MFA in place before providing a quote — or a renewal — for most accounts.
Consider your risk threshold
Every company will need to analyze their own risk tolerance and make the decision whether to purchase cyber liability insurance accordingly.
Premiums are expensive, ranging from $1,500 annually for a small company to tens of thousands for larger companies. As you’d expect, premiums vary based on a number of factors, so be certain you understand what you’re buying and shop coverage carefully.
Before you decide against purchasing coverage, it’s worth keeping in mind that the potential cost of hacks may be larger than you think. The Hiscox Cyber Readiness Report found that the average cost of a cyber incident for businesses with 50 to 249 employees in 2019 was $184,000.
Part of the security armor
Cyber insurance does not replace the need for cybersecurity. Insurance cannot protect your company from phishing attempts, malware, or insider threats, it can only help minimize the financial damage caused by incidents like these. While we believe that insurance is important, it is of secondary importance to a robust security infrastructure. Think of this way — just because you have homeowners insurance doesn’t mean you shouldn’t lock the front door.
A robust security infrastructure is a mandate for businesses, and we believe that requiring MFA as a condition of cyber coverage is a smart move. We recommend MFA for our clients regardless of their insurance status. MFA is an integral part of that security infrastructure, as is email security and 24/7 network monitoring, and increasingly — a Zero Trust Policy, something we’ll cover in an upcoming post. Questions about MFA and your company’s security strategy? Contact one of the security specialists at Net at Work.
FAQs
Demand, losses, and premiums are all on the rise
Why is there a waiting period for cyber insurance? ›
Cyber insurers include waiting periods to hold the company responsible for the initial period of downtime, meaning any short-term issues would not result in a claim being paid. All waiting periods are set by the insurer, meaning that times will vary.
Is cyber insurance going away? ›
The majority, 64%, agreed that the cyber insurance market will harden over the next 12 months, while 57% also expect cyber underwriting standards to rise. A significant 80% predict that cyber risks will increase over the next year, with 31% anticipating a significant surge.
What are the challenges for the cyber insurance industry? ›
Unlike traditional insurance, cyber insurance lacks a robust history of claims data. The scarcity of historical data makes it difficult for underwriters to accurately predict and price cyber risks. Developing models that can effectively navigate this uncertainty remains a significant challenge.
Is there an increase in demand for cyber insurance? ›
Cyber Market Outlook
The global cyber insurance market, currently worth $14 billion, is expected to double to $29 billion by 2027, driven by the escalating frequency of cyber-attacks and growing regulatory requirements, according to the report.
How do you qualify for cyber insurance? ›
Strong security controls
That includes protection from internal threats, like careless, malicious or compromised insiders. If you have a remote or hybrid workforce, you may also need to demonstrate that you have people-centric security controls as well as granular policy controls based on risk, context and user role.
Why is insurance taking so long? ›
Delays by the insurance company can take many forms, including: Simply taking a long time to respond, or “radio silence.” Poorly implementing established procedures and practices for timely investigating and processing claims. Misrepresenting various aspects of a policy or claim.
What is the future of cyber insurance? ›
The cyber insurance market has further matured. Looking to the future, the focus remains to meet increasing demand and manage dynamic risk exposures, while focussing on the sustainable insurability of cyber risks and market functionality.
What percentage of companies buy cyber insurance? ›
Data breaches in the U.S. cost up to 9.44 USD on average. 34% of organizations in the U.S. have a standalone cybersecurity insurance policy.
How common is cyber insurance? ›
The global cyber insurance market tripled in volume in the last five years, expanding to gross direct premiums of around USD 13 billion in 2022, according to the Swiss Re Institute (SRI). In just two years, the market has seen significant rate increases and re-underwriting to restore profitability.
Your industry. Certain industries are subject to higher premiums because they are more susceptible to threats. Hospitals, for example, are a major target of ransomware attacks because they store sensitive patient data and will often choose to pay ransoms rather than risk their patients' lives by going offline.
Is cyber protection insurance worth it? ›
Today, the average cost of cyber claims is substantial, far exceeding the average cost of cyber premiums. And considering the proactive and reactive services on offer, it's clear that cyber insurance is more than worth the money.
How much is cyber insurance premium? ›
How much does cyber insurance typically cost? For small businesses, annual cyber insurance premiums can range from $1,000 to $7,500. This range is dependent on several factors, which we discuss below. A recent survey found that the majority of cyber insurance underwriters expect rates to increase slightly in 2024.
What is the restoration period for cyber insurance? ›
The restoration period may be any number of months, but you will most commonly see 3 months, 6 months or even a year. Typically, the insured can negotiate the length of the restoration period for an additional premium.
What is the period of restoration in cyber insurance? ›
Restoration Period (or period of restoration) on a cyber policy refers to the time between the moment the network security event happens and the moment when the insured's income is back to a “normal level”. Normal meaning whatever the income would have been without the network security event.
Is cyber insurance worth it for individuals? ›
Today, the average cost of cyber claims is substantial, far exceeding the average cost of cyber premiums. And considering the proactive and reactive services on offer, it's clear that cyber insurance is more than worth the money.
Why have a cyber insurance policy? ›
What does a cyber insurance policy cover? A cyber insurance policy protects organizations from the cost of internet-based threats affecting IT infrastructure, information governance, and information policy, which often are not covered by commercial liability policies and traditional insurance products.
