With the prevalence of cyber attacks increasing throughout 2020 and into 2021, cyber insurance has become increasingly important. The purpose of cyber insurance is to protect organizations in the case that they do fall victim to a cyber attack of some sort. This is accomplished generally through covering of costs incurred as a direct result of an attack. For example, if your network goes down, cyber insurance can help recoup lost profits from the time the network was down. Another example is that in the case of a ransomware attack, cyber insurance will help cover either the costs of decrypting the files or paying the ransom. However, as the nature of threats has evolved, so has the complexity and cost structure of cyber insurance.
Ransomware has been the biggest driver of change for cyber insurance. Initially, insurance companies lumped in ransomware coverage within their standard coverage options. However, as ransomware attacks have increased in volume and ransom demands have grown over the years, insurance companies have found themselves paying out increasingly large amounts to companies in coverage of these events. Insurers were not prepared for this reality, and thus they are left with two realistic options. Either they risk losing money on their policies as they are currently set up, or they change policies to be more selective and more expensive to protect themselves. This second option is what most companies end up doing.
Insurers are undertaking changes in a few main ways. First, most insurers are requiring security checks in the preliminary steps of the process. No longer can businesses simply get insurance. Instead, insurance companies now run their own security checks on businesses to ensure they are up to a certain standard. After running the scan, insurers will offer next steps of action for how the organization can better their security. If the insurer determines the organization to be up to their standard, then they will offer the organization a coverage plan along with a premium cost. This process is done in order to make sure that the insurer is minimizing its own risks by ensuring that the insured party meets a minimum standard of security.
Insurers have also begun to raise their premiums significantly. As a result of high payouts in ransomware attacks and the growing sophistication of cyber attacks, payouts for insurers have been higher than previously anticipated. Going back to as recently as 2018, the global premium payment to cyber insurance companies was $2 billion. With ransom demands rising into the millions and costs of recovering from cyber attacks increasing, that market exposure just would no longer works. Without an increase in premiums, insurance companies leave themselves at increased risk of loss of money. Thus, in order to mitigate this opportunity for loss, premiums were increased.
Coverage is also being cut to fight against financial loss. Insurance companies were willing to hand out large coverage plans at first because they felt fairly confident that they would not have to pay out on these plans. But the changing landscape of cyber security has made insurers increasingly likely to have to pay on these policies. Thus they have to manage their policies differently than originally planned. By cutting coverage, they reduce their own risk of loss, but they also raise the cost to the consumer. For example, a policy that would have initially covered up to $100,000 in losses may now only cover about $50,000. In order to get back up to the $100,000 coverage you might have to pay double or more in your premium payments. Another form of “coverage cutting” that the insurers are doing is the aforementioned separation of ransomware coverage. Instead of ransomware being involved in standard coverage, it is now more of a specialty coverage that needs to be bought separately.
Many times, insurance companies will do what they feel is best for them financially, regardless of what the insured may say. For example, in the case of a ransomware attack, insurance companies may find that it is cheaper to pay the ransom than to pay the downtime costs of the business. So, even if the business does not want to pay the ransom to avoid bad publicity, for moral reasons, etc., cyber insurance will only cover the cost of paying the ransom. Thus, it is imperative to properly implement proper security measures to ensure that situations never get to this point. Insurance certainly is a nice safety net to have in the case of an incident, but stopping incidents from happening using good security practices is ultimately what is best for businesses in the long run. As well, creating a plan of action in case attack happens helps your business react when an attack occurs. By having discussions beforehand about what to do, you can save yourself time and money when it matters most.
More Cyber Insurance Information: CorpInfoTech’s Cyber Insurance Whitepaper
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.