Cyber-insurance going forward

Premiums are rising and insurers are making rigorous requirements prior to purchase. Chris Rogers at Zerto, a Hewlett Packard Enterprise Company, asks what the future holds for cyber-insurance

Since first coming to market in the late 1990s, demand for cyber-insurance has grown alongside the dramatic increase in digital crime. In the last few years alone, the global cyber-insurance market has tripled in size to hit $13 billion in 2022 and is expected to reach over $90 billion by 2033. 

Given the ubiquitous growth in cyber-crime, this is understandable. The potential impact of a security breach has now become so serious that many businesses can no longer work on the assumption that they won’t be targeted. In fact, the emphasis has almost completely shifted from whether an organisation will be attacked too how often. 

But what does cyber-insurance typically cover? According to the Association of British Insurers (ABI), cyber-insurance generally applies to losses relating to business costs from a breach, cyber-extortion, damage to digital assets, business interruption and liability, among other areas. For business victims of cyber-crime, where the impact can be financially crippling, this kind of insurance has proved invaluable in allowing them to recover and – eventually – get back to working as usual. 

However, the sheer popularity of cyber-insurance and the growing scale of payouts is prompting another shift in the market, with organisations finding it increasingly difficult to get comprehensive coverage at a reasonable price.

Information about the average cost of claims varies, but between 2018-2022, the largest average SME claims came as a result of ransomware incidents and reached $334,000 per incident, according to industry figures. By some distance, ransomware represents the biggest source of cyber-security insurance risk, both in terms of claims frequency and cost per incident – well ahead of the dangers posed by business email compromise, hacking and the impact of malware. 

Given the skyrocketing levels of ransomware seen in recent years, insurers have reacted by tightening their underwriting criteria, driven by rising costs associated with incidents and the associated claims. For instance, many policies do not cover the full range of costs associated with a breach, such as long-term reputational damage, loss of customer trust or the complete cost of data recovery and system restoration.

Yet, these issues can form a huge part of the overall recovery bill and often only become fully apparent after data has been restored and normal operations have resumed. 

In practical terms, recent research has shown that, for most organisations, insurance costs are significantly increasing. Almost 80% of respondents reported rates having increased upon application or renewal, with over two-thirds saying they increased between 50% and 100%. If this trend continues, for some organisations, there will come a point where the cost of insurance will start to outweigh its potential benefits. 

The value of resilience 

So, where does that leave organisations that see the value of cyber-insurance but are also concerned about rising costs? What is crucial to remember is that whether individual organisations ever claim on a cyber-insurance policy or not, it should never be viewed as a ‘get out of jail’ card. 

Instead, it should work as a last resort that underpins an effective cyber-security strategy. Even when insurance enables an organisation to recover most or all of the costs it incurs following a breach, intangible problems resulting from operational disruption, employee stress, customer dissatisfaction and other issues will add to the overall negative impact. The point is that it’s always better to avoid the need to claim in the first place. 

While it’s both easy and obvious to say that modern organisations should improve their security, many still seriously under-invest in the protection and resilience technologies, user training and compliance processes necessary to build a robust defence against threat actors.

In contrast, resilient organisations are prepared for security incidents and can get their IT systems back up and running within minutes of an incident occurring without significant data loss. When targeted, these businesses are far more likely to resist an attack entirely or quickly mitigate its impact. 

Put resilience and insurance together, however, and organisations put themselves in the strongest possible position to limit their exposure. This is important because, looking ahead, the development of cyber-insurance seems certain to bring additional increases in cost and more difficulties for organisations looking for coverage.

Insurers are already imposing more stringent cyber-security requirements, with customers required to demonstrate they have effective security measures in place before they can purchase cover. 

In addition, whether insurers will continue to cover serious risks such as ransomware, for example, also remains to be seen, with one industry study from last year revealing that “21% of organisations stated that ransomware was now specifically excluded from their policies”.

In light of these future uncertainties, the emphasis on resilience is certain to increase. 

Chris Rogers is Senior Technology Evangelist at Zerto, a Hewlett Packard Enterprise Company

Main image courtesy of iStockPhoto.com and Poca Wander Stock