Why is it so hard to get Cyber Insurance?
July 11, 2023
Getting Cyber Insurance used to be a pretty straightforward process. You’d submit an application, receive a quote, and sooner or later, you’d have decent coverage at a fairly reasonable price.
These days, things are a lot more complex. It takes longer to apply, coverage is more expensive, and it’s never been harder to get. After years of volatile attacks and higher-than-expected damages, insurance companies have gotten a lot stricter about who qualifies for insurance. Now, they’re mandating cybersecurity for all clients and taking a closer look at your network security. And based on what they find, they’re restricting terms, denying coverage, and raising premiums for anyone that doesn’t meet their standards.
But why are cyber insurers so selective? What are their requirements? And will they let up anytime soon? Keep reading to learn more.
Why are insurance companies so cautious?
Around 2019, the sheer volume of cyber and ransomware attacks had begun to take its toll on insurance companies, with average breach costs at seven figures. By the end of 2020, cyber insurers reported that they had lost $5 for every $1 earned in premium. Even more troubling? Although most breaches could be easily prevented with simple, low-cost protocols, like secure email, remote access, and regular patching, most businesses still weren’t doing enough to prevent or prepare for attack. Instead, they’d give in to hackers’ demands, relying on insurers to shoulder the financial burden and make up for their security gaps.
To keep risks at a manageable level and ensure they had enough funds to pay for other cyber claims, insurance companies began to pull back on coverages, raise premiums and deductibles, and toughen security requirements. As a result, organizations now have to provide proof of basic cybersecurity to be eligible for Cyber Insurance at all. Failure to do so could result in higher premiums, denied claims, policy cancellations, and significant expenses for remediation.
Many insurance companies have also added risk assessments during the application process to get a better sense of applicants’ day-to-day operations and overall security. Depending on your organization, these assessments can range from a simple questionnaire to an extensive third-party audit and could have a significant impact on determining your policy terms, conditions, pricing, and overall insurability. If the results are poor, you might not even have a chance to rectify the vulnerabilities before insurance companies make a final decision.
How have organizations responded?
According to the 2022 CIRA Cybersecurity Report, 74% of organizations have some form of Cyber Insurance. Most have indicated that their provider has made changes to their coverage, with the most common being proof of security measures and higher premiums.
But while many businesses have implemented new technologies and increased staff training, others have been slow to take action. Reasons for this include:
Most insurers expect baseline controls, like multi-factor authentication (MFA), encryption of data-at-rest and data-in-transit, offline backups, and regular security awareness training for all employees. However, the specifics can vary between insurers, with some going as far as mandating endpoint detection and response (EDR), incident response plans, supply chain management, and more. As a result, organizations are often unsure which measures to deploy first, especially as threats and recommended solutions continue to evolve. This is compounded by limited budgets, personnel, and resources to oversee security efforts.
2) Poor Maintenance
In many cases, businesses have enough safeguards to obtain Cyber Insurance, but fail to regularly update or patch throughout the policy period, leaving gaps for hackers to exploit. Often, these vulnerabilities only come to light following a breach or during the annual renewal process, when insurers reassess and scan your systems. But at that point, it’s too late to make any changes that could impact your premium; your insurance costs will be determined based on the findings in the report, regardless of any subsequent security repairs. Unless you’re willing to forgo Cyber Insurance entirely, you’ll be locked into a higher premium until the next renewal cycle comes around.
Given the market conditions, businesses are increasingly questioning the value of Cyber Insurance and whether to reduce or even drop coverage, particularly if they don’t think they’re at risk or if they haven’t experienced a breach yet. Some are even opting to self-insure or establish their own retainer agreements with legal and forensic service providers.
What does the future hold?
It’s impossible to tell how things will unfold. Cybercrime is as unpredictable as ever, but for now we can anticipate the following:
1) Stricter Security Requirements
Cybercriminals are relentless and as we implement safeguards, they’ll adapt and find new ways of compromising data—traditional security measures won’t be enough in the long run, particularly in the age of ai. In the coming years, insurers are likely to introduce more mandates to combat growing risks more effectively, including routine vulnerability scanning, patching regulations, and limiting end-user access. The controls might even get more detailed, like automatic system patching every 15-30 days or granting user access only when necessary and revoking it once tasks are completed.
2) High Pricing
Keep in mind: high pricing is a direct response to a heightened risk environment and claims payouts. There’s potential for insurance costs to stabilize, but that ultimately depends on the threat landscape and how well organizations adhere to security standards. Insurers aren’t likely to ease up until they see a real change in businesses’ overall cyber readiness.
3) Complex Policies
Insurers have gained valuable insights from aggressive cyberattacks in recent years and are continually adapting to address emerging risks and find a balance between coverage, threats, and cost. As a result, policies have become more sophisticated and flexible, with more sub-limits, maximum payouts for different types of events, and detailed exceptions or exclusions. For example, some insurers have removed ransomware coverage, whereas others now offer it as an optional add-on for a higher premium and deductible. That way, businesses can tailor coverage to their specific needs and budget and save on costs while maintaining essential protection.
4) Rising Demand
As attacks grow in size and significance, businesses will face greater scrutiny from regulatory bodies and key partners. Clients and investors want assurances that their data will be protected if there’s a breach and are insisting on cybersecurity, higher coverage limits, or even a certificate of insurance as a condition of work.
If you don’t have insurance already, this could put you in a precarious position with securing contracts. Most businesses underestimate just how tough it is to find the right coverage. Depending on your size and operations, it could take weeks for you to find the right provider, apply, and negotiate pricing. And prospective clients or investors might not be willing to wait it out while you shop around for another policy.
5) Cyber Risk Management
Cyber Insurance has historically provided funds for various remediation services, including legal fees, crisis management, forensic investigation, PR consulting, and more. But now more than ever, insurance companies and brokers are stressing risk management to curb threats and prevent breaches before they happen, rather than reacting after the fact. Many have invested in-house incident response services, while others have joined forces with third-parties and specialists for ongoing education, security, and guidance.
What can you do?
To keep insurance costs low and maintain good standing with insurers, take steps to strengthen your cyber defences and reduce your risk profile. In addition to robust controls, provide regular awareness training to all employees and update your safeguards frequently to account for new exposures. Review your existing Cyber Insurance policy and work closely with a broker to meet insurer requirements’. Remember, cybersecurity is an ongoing journey, and a strong partnership between you, your IT team, and your insurance company is crucial. Being proactive will increase insurers’ willingness to cover you against attack.
But whether or not you invest in Cyber Insurance, security is essential—and in this day and age, we’re past the point of pretending we don’t need it. According to the 2022 Cybersecurity Ventures Official Cybercrime Report, the global annual cost of cybercrime is poised to reach a staggering $8 trillion USD this year, with damages at $10.5 trillion by 2025. With growing pressure from clients, investors, and regulators, organizations can no longer rely solely on insurance as their primary defence against attack or as a checkbox for compliance.
Now more than ever, organizations must work towards a cyber risk management strategy that focuses on prevention, detection, and remediation. While no prevention is absolute, you can still fortify your systems enough to dissuade the average criminal and drastically lower the chances of attack. And if you do suffer a breach, you can respond quickly and effectively and recover your business that much sooner. Above all, you can become resilient to attack and stay agile in the face of change, no matter the risk or requirement.
How can we help you?
For more guidance, connect with PROLINK. With over 40 years of experience and a specialized knowledge of cyber markets, PROLINK is ahead of industry trends. We’ll help you plan, protect, and make sense of insurers’ requirements.
Our dedicated team of risk advisors will:
- Identify potential losses based on your business operations and unique needs;
- Stay on top of emerging threats, legislations, and security requirements that could affect you;
- Share what steps others in your industry are taking and advise you accordingly;
- Conduct a robust assessment of your existing insurance policies to detect any coverage gaps;
- Adopt a proactive approach to risk management to control your costs long-term;
- Align you with specialized Cyber Insurance solution, tailor-made for your strategic objectives and budget.
To learn more about your exposures—and how you can protect yourself—visit our Cyber Security & Privacy Breach Toolkit and connect with PROLINK today!
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.