Cyber insurance provides a critical hedge against financial losses stemming from cyberattacks, but these policies have become more expensive and difficult to obtain. Following years of increasingly sophisticated and expensive attacks and breaches, insurers are raising premiums and imposing stricter security requirements in efforts to reduce their exposure.
Faced with bigger losses and tighter margins, insurers boosted premiums by an average of 51 percent in 2022, according to data from Fitch Ratings, which conducts research and analysis for global financial markets. That’s a three-fold increase in just three years. In addition, insurers are raising deductibles, reducing coverage limits and enforcing more stringent coverage requirements.
These changes come in response to the rising number of claims made by policyholders. According to Fitch, claims have doubled and payouts have tripled in each of the past three years. This has put pressure on insurance companies to reevaluate their policies and pricing structures.
Market Uncertainty
Because cyber insurance is such a new market, underwriters have lacked the wealth of historical data and well-established actuarial models available for most other insurance products. The absence of standardized risk assessment methods often led to inaccurate assessments of price and risk. This made it difficult for insurers to strike the right balance between offering coverage and preventing an unhealthy concentration of risk.
The consequences of these industry shifts are felt most acutely by middle-market companies. For these organizations, cyber insurance serves as a crucial safety net, especially as they often lack the in-house security resources of their larger counterparts. However, as the cyber insurance landscape evolves, more holes are appearing in this safety net.
A recent study from the U.S. Chamber of Commerce and consulting firm RSM found that more than two-thirds of middle-market firms now carry cyber insurance. However, this study also highlighted significant reductions in coverage for data theft and extortion, including ransomware. As a result, more than a third of middle-market executives are unsure about what their policies actually cover.
Security Expectations
Despite the uncertainties surrounding the cyber insurance industry, it remains a vital investment for most organizations. With the average ransomware payment exceeding $1.5 million, even limited coverage provides valuable protection against financial catastrophe. However, organizations must be proactive and diligent when seeking cyber insurance policies.
One of the key shifts in the industry is the expectation that businesses invest more in risk management strategies and cybersecurity measures. Insurers increasingly require policyholders to demonstrate that they have implemented robust security controls. Common requirements include:
- Multifactor authentication for remote access to sensitive systems and applications.
- End-to-end encryption for sensitive data, both in transit and at rest.
- Security awareness training to educate staff about how to recognize and respond to attacks.
- Strong access controls to limit employee access to only the data, applications and systems they need to do their jobs.
- Incident response planning to outline how the organization will respond to threats.
- Regular security assessments to identify and address any security weaknesses.
Evolving cyber insurance markets reflect the growing challenges of an increasingly connected world. While insurers are taking measures to limit their exposure, organizations must also step up their cybersecurity efforts. Cyber insurance remains a critical tool in managing cyber risks, but it should be part of a broader strategy that includes robust cybersecurity measures and risk management practices. By taking a proactive approach, organizations can better protect themselves in this ever-changing digital environment.
