As the economy continues to strain, cybersecurity liability insurance costs have risen dramatically — and so have the number of data breaches and security incidents such coverage is designed to shield against financially.
For most organizations, this leaves the cybersecurity liability insurance market murky. At best, very mature organizations with well-heeled cybersecurity programs will find their rate increases have flattened at high levels. Others may discover their rates have risen dramatically. At worst, companies find they are not insurable against cyber-related financial risks.
"If you have a history of data breaches, or you are found to have things like an immature cybersecurity program or lack an incident response plan, you could very well end up not able to get insurance or having to pay up considerably," says David Elfering, senior cybersecurity specialist, SVP at insurance broker Marsh.
To either ensure they don't have their bid for cybersecurity insurance denied or face rising premiums, the experts we spoke with advise companies to take a few important steps to successfully manage their way through getting the insurance they need during turbulent economic times — and a turbulent cybersecurity insurance market.
The first step is rather apparent but crucial: fix any cybersecurity gaps that make the organization uninsurable in the eyes of the broker or insurer.
Such gaps are likely caused by the failure to implement strong cybersecurity practices and protocols to reduce the likelihood of a data breach or cyber-attack. This may include regular security assessments, employee training, and failing to follow broadly accepted best practices adequately. Further, many companies fail to have comprehensive incident response plans in place. Such plans also help to keep premiums down because companies that can detect and respond to breaches quickly have a much better chance of keeping incident costs low.
In the latest year to be fully analyzed, 2021, the National Association of Insurance Commissioners (NAIC) found the U.S. cybersecurity insurance market to increase by 61% from 2020 to reach $6.5 billion in direct written premiums.
It's not just economic uncertainty that has CISOs skittish about cyber insurance premiums. It's also the changing market dynamics. According to the NAIC’s Report on the Cyber Insurance Market [.pdf], the cybersecurity liability insurance market shifted about three years ago into a "hard market." In insurance speak, that means the amount of available insurance coverage can't match market demand. This enables insurers to be more selective in the risks they take and shift more costs to their customers.
"Insurers responded to the hard market, in part, by increasing premiums. The direct written premiums in the admitted market rose by 74% in 2021. Insurers saw a reduction in their loss ratios, partly because of premium increases. Regardless of a company's size or industry segment, companies continued to see their premiums increase during the first quarter of 2022," the NAIC said.
Indeed, just as the economy slows, with fears of contraction, cyber insurance premiums have risen, driven mainly by increasing loss ratios. And those losses are attributed primarily to hefty ransomware payments—and claims payments due to cybersecurity attack-related business interruptions.
Finally, the NIAC found companies falling short regarding securing against third-party risk. "In response, underwriters have begun analyzing supply chain networks more exhaustively to ensure sufficient security procedures are in place. "Underwriting is evolving, and insurers are becoming more cautious when examining an insured's risk and the risk presented by third parties with whom they work and contract. Underwriters are reviewing a company's internal security controls and cyber-risk procedures with more scrutiny," NAIC said.
According to Elfering, insurers are increasingly wary of systemic cybersecurity risks, whether from organized crime-fueled ransomware attacks, nation-state attacks, or even cyberwar following Russia's invasion of Ukraine. Farnum agreed and said in his experience, insurers still don't know how to manage the cybersecurity risks posed by nation-states and what constitutes an act of war.
Regardless of rate increases and concerns around some claims not being paid, the cybersecurity liability market is growing, even if much of that growth can be attributed to increased premiums. Data analyzed by the NAIC found that the "cyber insurance market is growing rapidly, though much of that growth has likely been due more to premium rate increases than increases in take-up rates or broadening coverage. Regulators continue to assess the market in terms of how insurance is providing protection to policyholders."
As Elfering points out, the things that will lower premium costs will also reduce the risk of a cyber breach, including following a good security framework, perhaps something like NIST's Cybersecurity Framework, commonly known as the CSF. "The more you invest in what you should do to improve your security program, the more successful you will be at lowering your premiums," Elfering adds.
That's an excellent point because while there's nothing enterprises can do individually about the health of the broader economy, or the decisions insurance companies make about general premium rate trends, they certainly have control over their security program's maturity. And stepping that up is a win for everyone except cybercriminals.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.