Infosecurity Europe
4-6 June 2024
ExCeL London

Cybersecurity Insurance – What Do You Need to Know?

Cyber-related risk is surging. A perfect storm of digital transformation projects, complex supply chains, security skills shortages and cybercrime innovation threatens significant financial and reputational damage. In this context, it might make sense to transfer some of that risk to a third-party insurer. A whole industry specializing in exactly that has grown over the past few years. Current forecasts predict the global market for cyber-insurance will more than double in size, from $9.2bn in 2021 to more than $22bn in 2025.

However, as the industry rapidly matures, progress hasn’t been uniformly smooth. Most recently, premiums soared and coverage declined as carriers sought to rein in losses.

Increasingly, it might pay for organizations to think of their insurer not as a lender of last resort but as an advisory partner. Because it is the insurance industry that may ultimately hold the key to dramatically improving baseline security across the entire corporate landscape.

What Is Cyber-Insurance?

At a high level, cyber-insurance helps to mitigate cyber-risk by enabling an organization to transfer liability for any losses they incur onto the carrier. Policies vary but should cover the direct impact of cyber-attacks (first-party coverage), or potential losses if customers or partners try to sue following an incident (third-party coverage).

Some of the costs covered by first-party insurance include any lost or damaged data or software, extortion via ransomware, breach notification, theft of money, reputational damage, and business interruption. When it comes to third-party coverage, think things like expenses related to lawsuits, costs related to regulatory inquiries, settlements with customers, and lawyers’ and accountants’ fees.

It’s also important to remember that cyber-attacks resulting from “acts of war” are unlikely to be covered. The industry has taken steps in recent months to tighten definitions around this, in order to reduce carrier liability for state-sponsored attacks. Proving if a threat actor was or was not working on behalf of a hostile state could be extremely challenging, as long, drawn out lawsuits have proven in the past.

Why Do You Need Cyber Insurance?

For any IT security decision maker, it should be obvious by now why cyber-insurance is starting to become a popular option for global organizations. Take the threat landscape. The cybercrime economy is estimated to be worth trillions of dollars, generating more than the annual GDP of many countries. Threat actors have a readymade marketplace on which to trade stolen data and buy tools, services and know-how to launch attacks. One vendor claimed to have blocked almost 64 billion threats for its customers in the first half of 2022 alone.

On the other side, organizations are struggling to manage the transition to hybrid work in a secure manner. Digitalization has brought with it many benefits, but also increases the attack surface via misconfigured and under-protected cloud systems, unpatched home working endpoints and distracted mobile workers. One report claims that 43% of global organizations fear their attacks surface is “spiralling out of control.” Another estimates that the volume of insider threats jumped 44% year-on-year in 2021, with costs rising to $15m per compromised organization. Supply chain risk only adds to the headache for CISOs: an estimated 98% of global companies suffered a breach via their suppliers in 2021.

On top of this, security teams are woefully understaffed. The latest figures suggest the global shortfall in security professionals now stands at 3.4 million, including nearly 57,000 in the UK and almost 411,000 in the US.

The impact is clear. The US suffered a near-record number of publicly reported data breaches in 2022. In the UK, two-fifths of organizations last year reported suffering a security breach in the previous 12 months, rising to 72% of large firms. Over a quarter (27%) of UK tech and business leaders say they expect business email compromise (BEC) and “hack and leak” attacks to significantly increase in 2023, and 24% say the same about ransomware.

Counting the Cost

The financial cost of these attacks is clear. The FBI has recorded surging cybercrime losses over recent years. In 2021, the figure hit $6.9bn, making the total for the five-year period ending that year $18.7bn. Even this is likely to be a massive underestimate given the number of cases that go unreported.

For breached organizations it could mean regulatory fines, breach notification costs, third-party forensics and investigation charges, and money spent on crisis management, post-breach response such as credit monitoring and legal expenses. That’s not to mention the harder-to-estimate cost of reputational damage and customer churn.

Having an insurance provide pick up at least some of the bill has now become an essential requirement of many boards. However, their ability to secure the right policy at the right price has been complicated of late, as the cyber-insurance industry rapidly evolves.

How Is the Cyber Insurance Industry Changing?

The data with which insurers calculate risk exposure, and pricing and coverage for customers, has not always been as accurate as they’d have liked. It led first to a surge in ransomware claims from possibly under-protected customers, leading many to blame the sector for the explosion in attacks over recent years. A correction in the market saw premiums rapidly increase while coverage limits declined. Prices now appear to have stabilized amid calls for the industry to hire more cyber experts enhance underwriting and claims management.

This is certain to happen, as insurers get smarter and more prescriptive about the questions they ask of prospective policyholders. It means they could be a genuine force for good if it means forcing customers to improve baseline security as a precondition of cheaper policies.

However, it’s certainly not a silver bullet, according to Alexandros Papadopoulos, director of incident response consulting at Secureworks.

“People often think that having insurance means they don’t have to do anything else. But insurance only covers you for the monetary aspect of the response effort. It does not reduce your reputational damage, and it doesn’t protect your team from feeling exhausted and demotivated,” he told Infosecurity.

“People also fail to appreciate how much control they relinquish by handing over full investigative powers to a legal team or insurer, meaning they lose some control of the organization’s response to a cyber-breach. Also, cyber-insurance usually does not cover the cost of ‘betterment,’ i.e. fixing the original problem that allowed the breach to take place.”

A Checklist for Businesses

So, what do businesses need to consider when assessing potential cyber-insurance policies and providers? JP Morgan has the following advice:

  • Review policy coverage and ensure it aligns with the organization’s risk appetite and requirements
  • Consult the legal team to judge the implications for regulatory or contractual requirements
  • Estimate likely maximum losses from a serious cyber-attack, and the likelihood of such an attack occurring
  • Use the above workings and the cost of a prospective premium to calculate whether it’s financially beneficial to transfer risk to the insurer

We’re still some way off universal cyber-insurance coverage. Nearly half (48%) of SMBs report they don’t have coverage versus 16% of large organizations, according to the World Economic Forum (WEF). While not a silver bullet, coverage offers a fantastic opportunity, not just for individual companies to mitigate cyber risk, but also for whole sectors to enhance the maturity of their security posture. 

Enjoyed this article? Make sure to share it!

Looking for something else?