The Current State of Cyber Insurance

It’s no secret that data breaches are costly. IBM’s annual Cost of a Data Breach report illustrates this well:  

• The average cost of a data breach in 2021 was $4.35 million. 
• The average cost of a ransomware attack, not including the cost of the ransom was $4.54 million in 2021.
• 60 percent of organizations’ breaches led to increases in prices passed on to customers. 

Given the significant costs associated with data breaches, organizations are increasingly looking to cyber insurance to help protect their businesses against financial losses from a cyber attack. In fact, in IBM’s report, “insurance protection” was a key factor that lowered the average total cost of a data breach.  

Yet, cybersecurity insurance is still considered an emerging space, one that is notoriously difficult to navigate. 

For insights on the topic, we recently sat down with industry experts Ethan Harrington, Founder and Principal at 221b Consulting, and Mary Roop, Consultant at 221b Consulting, to discuss the current state of cyber insurance and get answers to some of our burning questions. Continue reading for highlights from the discussion.

What’s going on in the cyber insurance market? 

Ethan Harrington: The market is terrible, and many of the issues we’ve started to experience have surfaced just within the last few years. Last year was a historical year, and not for good reason. We saw a 300-plus percent increase in ransomware. We also saw our clients experience triple-digit increases in their cyber insurance premiums. 

On average, a company categorized as having “good” risk levels may see a 15 to 20 percent increase in premiums, and those at the “questionable” risk level or that have had claims experience may see another three-digit percentage increase. 

Why is this happening? Market corrections. The insurance marketplace is global, and all of these insurers are writing more than cyber coverage. When they have a year where auto liability coverage is bad, they’re typically going to try to make up some of that premium in other places because they have to make money. In 2019 and during COVID-19, auto liability and general liability were extremely stressed, along with other claims completely unrelated to cyber. So, we knew that there was going to be a potential correction. 

But what we saw last year was a complete market shift. We’ve never seen anything like this before. We’re concerned that what we’re seeing right now is going to perpetuate for many more years and are unsure if coverages are ever going to return to what they were and how the associated premium will be impacted.  

As cyber insurance matures, is it becoming yet another regulation or standard to comply with? 

Ethan: Yes and no. Yes, because it is another party that is keenly interested in what organizations are doing to not only harden their defenses and protect their financials but also protect Personally Identifiable Information (PII) or data from a potential ransomware attack that could cause business interruption. 

No, because most insurance carriers understand that there are several golden standards to adhere to, whether it’s the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO). If you can document that you follow one or a combination of them, then I think that most would understand it. 

Insurers are starting to layer on more requirements beyond what NIST or ISO would indicate as guidance – and they’re asking questions specific to CISOs. They’re starting to ask questions about cyber resiliency. In general, most regulatory frameworks that organizations follow focus on preventative actions. Now, carriers are focusing on reactive responses to cyber attacks, looking at what you are doing to limit the potential impact if you do have to file a claim. 

There’s more scrutiny involved in cyber insurance today, and it’s different from what other regulators require.  

Who typically manages the cyber insurance process? 

According to the webinar attendees, here is the breakdown of how cyber insurance is managed at their respective organizations, many of which came from financial institutions: 

• 42% risk management  
• 25% finance 
• 25% information security  
• 8% general counsel/legal 

Mary Roop: Whoever runs risk management typically controls the placement, but it truly is a partnership between the person responsible for placing the insurance policies, the information security team, the privacy team within legal, and the team responsible for Payment Card Insurance (PCI) compliance.  

These teams need to work together to ensure an understanding of the cyber hygiene and the data incident response within your organization. This creates a holistic picture with complete information useful in the robust cyber insurance application and underwriting process. 

How has ransomware played a role in the cyber insurance market?  

Ethan: Ransomware decimated the entire insurance industry from a cyber perspective. In 2021, there was a 300-plus percent increase in ransomware attacks. Ransomware used to be a quick way for adversaries to grab cash, but they’ve become more intelligent, conducting background checks into businesses to determine what their financials look like to identify the most realistic ransom amount to ask for. 

Ransomware is not going away anytime soon, and the cyber insurance market is responding to that. Now, we are starting to see sub-limits within insurance policies specific to ransomware, separate retentions as it applies to ransomware, and different changes in waiting periods (eight hours then vs. 24-48 hours now). But I expect that’ll start to lessen, and some of those policies will return to what they were before. 

Want to improve your ransomware prevention and detection? Explore NetSPI’s ransomware attack simulation services. 

How have cybersecurity insurance questionnaires evolved? 

Ethan: 15 years ago, none of the insurers had any expertise in cybersecurity. Many insurance companies recognized that they do not understand cybersecurity and hired third parties to come in and ask the questions on their behalf.  

That has changed. Lots of insurance carriers are now hiring specific technical people that have been consultants in cyberspace or those who managed security service providers because they understand the market much better. Now, insurance companies are teaching them insurance and how to do underwriting versus outsourcing. 

How do you navigate situations where providers require specific vendors for your solutions and controls? 

Mary: If your cyber insurance carrier isn’t already requesting this within the application, we do recommend getting pre-approval on your data incident providers. They may be included on that pre-approved list already, and if not, they’re going to have to be vetted extensively by those providers.  

This process is lengthy, but it is important to undertake before starting your renewal strategy. Go meet up with your legal team to determine the outside counsel that you can use to help advocate for your vendor choices. Carriers want to understand vendor credibility if they’re not familiar with them. 

Getting ahead of this process is important because you don’t want any surprises when a data incident occurs. Like when your carrier says, “We’re not going to approve this claim because you do not use an approved vendor.” If you are proactive about this, you can go to the leaders of the respective departments and come up with a solution before it’s too late. 

There has been talk about possibly monitoring clients’ cyber behavior and adjusting insurance premiums accordingly. How might we see a program like this play out? 

Ethan: We don’t like insurance companies constantly monitoring and doing scans of environments. It looks bad for the insurance industry because we all know that there’s going to be weaknesses that can be found if you look close enough.  

If an insurance company is constantly scanning your system, it is possible that they’re going to come back to you and say, “We need you to fix this.” At some point, the CISO is going to say, “I don’t have any more risk management practices that I can apply to protect us against that.” Security teams can do everything they can, but if employees/personnel make a negligent mistake or are heavily targeted, they can cause a massive claim to occur. 

We’re putting the CISO in a difficult position where they’re trying to manage the board, protect their critical assets, and now all of a sudden, they also need to keep an insurance company happy.  

Some scans delve into the depths of systems to find vendors and clients that you’ve referenced and how they could affect your insurance. Underwriters, especially in financial services, are looking at the kind of brand reputation or loss of business income that might be impacted if there was a data security incident. It’s becoming exceedingly difficult for underwriters to try to figure this out. 

Have you seen any companies go under because they’ve failed to secure cyber insurance due to poor IT security controls? 

Ethan: Thus far, no, I have not seen anybody that has actually gone under because they didn’t buy cyber insurance. But I anticipate it is going to happen, especially with the triple-digit increases in premiums. 

We are seeing more and more companies that are not buying or cannot obtain cyber insurance, and it will come back to bite them in some capacity. It’s likely that we will see organizations going under as a result of the rising financial costs associated with breaches today. 

For the full conversation and more in-depth insights from Ethan, Mary, and Norman, watch the on-demand webinar.