Cybersecurity insurance was first introduced in the 1990s to protect large enterprises against data processing errors and similar risks. But it is still a relatively new concept for many small to medium businesses.
Cyber threats have exploded since that time, and, today, any organization using IT is a potential target for cybercriminals. In response, cybersecurity insurance policies have also changed and are no longer limited to enterprises and big corporations.
Data breach volumes and costs continue to rise: 2021 set a record for the most recorded data breaches on record and, in the first quarter of 2022, breaches were up 14% on Q1 2021.
Demand is Increasing
The average cost of a data breach is currently approaching £2.5 million (global average). In the U.S., it’s more than double that, at $9.44 million. As these costs continue to balloon, so does the demand for cybersecurity insurance.
Companies of all types are realising that cyber insurance is critical. It’s as important as their business liability insurance. Without that protection, they could easily be ruined by a single data breach.
Premiums are Increasing
With the increase in cyberattacks has come an increase in insurance payouts. Insurance companies are increasing premiums to keep up. In 2021, cyber insurance premiums rose by a staggering 74%.
The costs from legal action, ransomware payouts, and other remediation have driven this increase. Insurance carriers understandably aren’t willing to lose money on cybersecurity policies. Consequentially, those policies are getting more expensive – but the insurers are also adding more caveats.
Insurance Coverage is becoming more selective
Certain types of coverage are getting more difficult to find. For example, some insurance carriers are dropping coverage for “nation-state” attacks. These are attacks that come from criminals either sponsored by, or under the control of, hostile governments. (Many hostile governments have ties to known hacking groups).
So, a ransomware attack that hits consumers and businesses could very well be declared by the Insurers to fall into this category (In 2021, 21% of nation-state attacks targeted consumers, and 79% targeted enterprises) – which is not the sort of shock that you want when your business is on its knees
Another type of attack payout that is being excluded from some policies is losses due to ransomware or ‘social engineering’ attacks. Between Q1 and Q2 of 2022, ransomware attacks increased by 24%, and Insurance carriers are becoming tired of insecure clients relying on them to pay the ransom, so many are excluding ransomware payouts from policies. This puts a bigger burden on all organisations to be absolutely certain that they have an effective backup and recovery strategy in place, with staff training to make sure avoidable losses are eliminated.
It’s Harder to Qualify
Just because you want cybersecurity insurance, doesn’t mean you’ll qualify for it. Insurers are becoming stricter, and the required qualifications are becoming more stringent. Where building insurance companies might require locks on your doors and windows to meet certain standards, cybersecurity insurers are now expecting an improved level of cyber hygiene from businesses.
Some of the factors that insurance companies will likely want to evaluate include:
- Network security
- Use of things like multi-factor authentication
- BYOD and device security policies
- Advanced threat protection
- Automated security processes
- Backup and recovery strategy
- Administrative access to systems
- Anti-phishing tactics
- Employee security training
You’ll often need to fill out a lengthy questionnaire when applying for insurance. This includes several questions about your cybersecurity situation, and this is a great opportunity to ensure your IT Support Provider is fulfilling their part of the deal, and if there are shortfalls, to rectify them.
What cover do you get?
You might assume that the Cyber Insurance would cover everything you need to get back up on your feet including
- Recovering compromised data
- Repairing computer systems
- Notifying customers about a data breach
- Providing personal identity monitoring
- IT forensics to investigate the breach
- Legal expenses
- Ransomware payments
But the reality might be starkly different. Insurers are in business to make a profit too and are unlikely to simply open their cheque books on demand. If you can’t demonstrate that you’ve complied with all requirements and precautions, then you may well discover that no payout is forthcoming.
You must also consider the level of cover. We recently heard of a small business that needed to claim for a cybersecurity breach. Although they were able to prove their eligibility, they hadn’t banked on the vast majority of their payout being consumed by the cost of necessary Legal Compliance work. As a result, there was precious little left to actually get the business moving again.
So, is a Cyber Security Policy worth the paper it’s written on?
Possibly 😊.
This is where a good insurance broker, who understands the minutiae of Cyber Policies, will be able to advise. As with all discretionary insurance, it needs to be a balance of risk, cost and cover – but most importantly, you need to know what won’t be covered so you can plan ahead. This is exactly what an Insurance Professional should be able to explain.
Cyber Essentials
Cyber Essentials is a UK-Government backed scheme that aims to improve the IT security of all UK organisations. It covers the key areas that make the most difference to cyber security, and Certification is priced to make it accessible to all operations. An added bonus is that successful certification also includes basic Cyber Insurance cover – so it’s well worth investigating.
Trusted Computing Ltd
We’re not insurance brokers or legal risk evaluators – but we have helped a lot of organisations successfully achieve Cyber Essentials Certification and have partnerships in place with other Cyber security professionals to deliver a complete service.
If you feel that Cyber Essentials Certification would benefit your operations, we’d be very happy to discuss this further.
Links:
UK Cyber Essentials Scheme : https://www.ncsc.gov.uk/cyberessentials/overview
IASME (who operate the CE Scheme on behalf of the UK Government) : https://iasme.co.uk
IASME CE Cyber Liability Insurance Cover : https://iasme.co.uk/cyber-essentials/cyber-liability-insurance
Insurance Professionals
Sutcliffe & Co. Insurance Brokers (who underwrite the IASME CE Scheme): https://www.sutcliffeinsurance.co.uk/
Assured – Specialist in Cyber Risk : https://assured.co.uk/
CyberCovered – Online Specialist : https://www.cybercovered.com
