Examining the Cyber Insurance Market
With more stringent underwriting process, higher costs, and less coverage, the cyber insurance market has hardened in 2022. Learn more from Inversion6.
The cyber insurance market is entering its most tumultuous year yet in 2022 due to increased cost, more stringent requirements to secure coverage, and more complexity across the board. This particular market hardened considerably in 2021 and the questions plaguing the industry — related to systemic cyber risk and cyber underwriting practices — are expected to continue to impact cyber insurance throughout 2022.
For most of the last two decades, cyber insurance was viewed as easy to acquire and relatively simple to add to an existing policy, broad in scope, and extremely affordable. But that has dramatically changed over the last two years. Due to myriad factors, the complexity of policies has sharply risen and the costs of landing new cyber insurance policies — or renewing them — has skyrocketed.
For instance, according to data compiled by S&P Global Market Intelligence, 43 cents out of every dollar paid in cyber insurance premiums was spent paying an insurance claim (or related cost) in 2016. Between 2016 and 2019, that number (also known as a loss ratio) never rose higher than 48 cents. In 2020, it exploded to 73 cents on the dollar. The cyber insurance market reacted accordingly in 2021; by the end of Q3 in 2021, pricing for policies in the U.S. increased an overage of 96%, year-over-year.
These increased costs can be attributed to four factors:
- Loss environment — Cited above, the increase in loss ratios has led to a corresponding deterioration of profits.
- Systemic risk concerns — Insurers are paying closer attention to the risk that a single cyber event could affect a considerable number of insureds simultaneously. A systemic cyber event could cost multiples of the estimated size of the current cyber market.
- Reinsurance — These costs are also increasing, thus adding to cyber insurance pricing. The demand for reinsurance capital remains greater than available supply.
- Available capital — The pool of capital available to clients from insurers is dwindling, meaning the total amount of cyber premium that insurers are collecting is potentially insufficient to fund for a catastrophic loss. Some insurers are exiting the cyber insurance market due to the concerns noted above. Meanwhile, others are reducing the amount of capital deployed on any given risk in order to limit their own portfolio’s exposure.
Cyber insurance has evolved more quickly than anticipated as a result, and that’s led to ripple effects for organizations looking to secure, or renew current policies. Insurance providers are now demanding more specifications and clarification from their insureds on their deployment of cybersecurity, how it maintains such controls, and how they’re improving their overall cybersecurity health.
Policy documentation now entails reams of questions as opposed to the simple paperwork from a few years ago. Insurance providers are more concerned about potential risk than ever before. And with some exiting the market entirely, there are fewer providers to work with. The underwriting process is growing more and more rigorous, and the overall capacity has dropped.
It’s left many companies paying more for less coverage, despite taking steps to implement better overall security. It’s not just you; it’s the state of the cyber insurance market.
Go Deeper with Inversion6: Security is an integral part to keeping your organization safe, and it’s important to address as part of maintaining cyber insurance. Learn more in our webinar.
The Disruptor: Ransomware Heavily Impacts Cyber Insurance Market
The single biggest factor for increasing the cost, complexity, and volatility of the cyber insurance market has been the rise in both the number and asking price of ransomware attacks.
It’s important to remember that unlike other fields covered by insurance, cybersecurity is — historically speaking — a relatively new phenomenon. Actuaries have data on risk factors and lifespans dating back decades and even centuries for other fields. Cybercrime is much newer, with the exponential growth of lateral-moving enterprise ransomware only happening within the last five years.
Without much historical data on cybercrime losses — such as those related ransomware — insurers took an industry-standard hands-off approach to accept customers without much diligence on security practices. To put it bluntly, they didn’t know what they didn’t know. With precedence or context, many insurers were operating on blind faith. It was adequate for a time, but then the risk environment changed from occasional data theft to rampant extortion.
Since 2018, cyber attacks and losses have escalated exponentially driven first by the rapid digitalization of businesses and accelerated by the pandemic and number of organizations buying cyber insurance. As more policies were secured, there were more targets with identifiable price points for malicious actors deploying ransomware and other cyber attacks.
Not only have the raw number of ransomware attacks risen, but also the demands from the cyber criminals have also increased — with attacks increasing across organizations of all sizes. According to information compiled by Sophos, the average asking price for a ransomware attack in the first half of 2021 was $1.2 million; that marks a 170% increase from the same time period in 2020. Also, the average ransomware recovery cost (excluding the ransom payment) in 2020 was $760,000; that more than doubled in 2021 to $1.85 million.
As losses and insurance payouts mounted, insurers reacted by increasing the security requirements for those seeking cyber insurance policies, decreasing the overall amount they would cover, and increasing the cost to implement policies. More than ever, organizations need cybersecurity assistance to help implement the necessary controls and prove those solutions work to acquire cyber insurance.
At a minimum, many insurers now view several security controls as necessary before they’ll agree to issue or renew policies addressing ransomware and other cyber incidents:
- Endpoint Detection & Response (EDR)
- Multifactor Authentication (MFA) on external AND internal systems
- Privileged Account Management (PAM)
- Email Filtering & Web Security
- Incident Response Planning & Testing
- Offline, Encrypted, and Tested Backup Systems
- No End-of-life software or hardware
Get Prepared with Inversion6: Learn what you need to know to build a successful strategy against ransomware here.
Future Considerations for the Cyber Insurance Market
With policies becoming more detailed and specific, underwriting growing in complexity by the week, and renewal process more strenuous than ever before, cyber insurance providers want to know more and more about your security maturity. And even then may elect to decline coverage if you’re not up to their new and still evolving standards.
So, is still pursuing coverage in the hardening cyber insurance market worth it? Some organizations are exploring options in self-insurance, but the majority will still want cyber insurance to provide coverage in the event of an attack, and to get back up to speed if one occurs. Insurance can save a company in the event of a massive breach solely from the financial perspective alone, but also supports efforts to minimize the fallout from such an incident as well.
Cyber insurance can provide access to key services in the event of an attack such as:
- A breach coach to walk through the next steps
- Legal assistance
- Public relations/Crisis communications
- Forensic investigations
- IT remediation services
After an incident, it’s less about the size of the payment offered and more about these supporting services. Without them many organizations would be left scrambling and flailing to find the proper response processes and likely will endure even more costs — in both time and money — in trying to get back on track.
Moving forward, the cyber insurance market will likely lean on policies dependent on higher deductibles, higher base security standards, offering lower maximum payouts. Insurance companies could create these standards in place of regulatory steps from a government body. Many of the security standards for home and business owners come from their insurance policies rather than regulation, for example.
Future security requirements for cyber insurance will include new and emerging controls like Privileged Access Management (PAM), Two-Factor Authentication on all accounts, systems, and applications, top-of-the-line or ‘magic quadrant’ EDR systems, and third party 24/7 monitoring among others.
It’s no longer 2010. Companies can no longer count on being able to easily line up cyber insurance without dedicated security controls, expert advice on traversing the current market landscape, and the flexibility to adjust to upcoming changes. Organizations will need expert guidance to shore up security, and to help navigate this rapidly changing environment.
Learn more with Inversion6: Spending more and more time on the cloud? Protect your information with these cloud security solutions.
Inversion6 is Built to Address Every Aspect of Cyber Insurance
The constantly-evolving scope and details of cyber insurance can be intimidating for businesses of any size as they struggle to grasp and meet new requirements and questions regarding coverage. Inversion6 Technologies has worked for decades to make companies more secure, and enable their security systems to reach many industry regulatory and compliance requirements. In the process, Inversion6 Technologies has developed the expertise, knowledge, and techniques needed to help organizations quickly adjust to, and meet, the rapidly changing requirements for securing new — or renewing — cyber insurance policies.
As an extension of your team, Inversion6 Technologies provides customized security solutions to support your internal security efforts. Whether you’re looking for CISO, MSSP, or security software guidance, Inversion6 Technologies partners with you to keep your company safe. Dedicated to long-term service, Inversion6 Technologies will work to protect your organization relentlessly — every hour of every day — by investigating and detecting potential threats, then communicating those concerns and finally, eliminating security issues. Virtually every aspect of our service will impact your place in the cyber insurance market, from meeting requirements for coverage to proving adherence to established standards and more.