The Cyber Insurance industry is evolving, but how will this impact businesses looking for cyber protection?
Cyber Insurance Premiums are continuing to rise at an alarming rate. Over the past 12 months premiums have increased by a staggering 174%*, but that’s only half the story. There has also been a significant change in the amount of cover that cyber insurance companies are providing within their policies. Despite a triple digit percentage increase in some cases, the level of cover has halved year-on-year. When you combine the price increase and reduced cover with the strict criteria you need to meet to even get insurance, you’d be forgiven for thinking the outlook seems a little bleak.
Let’s also consider this from the point of view of the insurance companies. Over the past three years some insurance firms would have undoubtedly suffered heavy losses due to the sheer volume of successful cyber-attacks. This growth has accelerated the cyber insurance market maturing. Cyber teams within those insurance companies have rapidly become experts at understanding how to significantly reduce the chances of a business suffering a cyber-attack. This puts them in a unique position as they get to analyse the fallout of each successful attack and understand how the breach occurred.
One of the best examples of such analysis is the 12 critical controls which Marsh have created. Marsh encourages their brokers to focus on these controls as a measure for how well a business is protected. This influences the cost of the premium and the whether the client is insurable in the first instance.
In my opinion, such controls are a shining example of what great breach prevention looks like. One of the biggest challenges that most companies are going to face is understanding how they fair against such controls. Here at ThreatAware, it’s our experience that the majority of these controls are not commonly monitored by businesses, at least not at the frequency which would be required to regularly prevent breaches.
Having these controls available is great news for all CIO’s and CISO’s to help focus their efforts on preventing a cyber-attack. Secondly, if you can monitor these and prove the status of these controls you will pay the lowest premium for your insurance. So, by implementing these controls you should decrease the chances of a cyber-attack and lower your costs. That’s definitely a win-win.
For the sake of clarity, I think that every organisation should have cyber insurance. For those of you thinking about not getting cyber insurance and just focusing on these controls, I would say that’s akin to installing a CCTV camera and then forgoing your house insurance. In the same vein you shouldn’t think of cyber insurance as a replacement for continually reducing your cyber security risk. Depending on the type of attack, the reputational damage may far outweigh the insurance pay out. It is imperative that you have the correct insurance cover and work to continually reduce your cyber risk.
There’s no getting away from the need to have cyber insurance. Even though it is perhaps inevitable that your premiums will increase, your cover will reduce, just getting insurance will become significantly more time consuming and challenging than in previous years. However, if organisations make cybersecurity part of their culture and focus on these critical controls, the level of damages paid out by insurance companies should start to fall and in turn bring those premiums back down.