Chris Rogers, Senior Technology Evangelist at Zerto, a Hewlett Packard Enterprise Company, asks if the cost and complexity associated with getting cyberinsurance outweighs its potential benefits.
Organisations looking to insure themselves against the potential ramifications of a cyberattack now face some stiff challenges.
In addition to a sharp rise in the cost of insurance premiums and the increasing requirements associated with qualifying for cover in the first place, the list of exemptions for payouts is getting longer and longer. As a result, firms must carefully consider exactly what their cyberinsurance product covers, because the list of policy exclusions are extensive.
Many insurers have now hardened their position on specific social engineering methods and internal threat actor attacks. Meanwhile, getting cover for supply chain or hostile state-sponsored attacks is becoming increasingly difficult.
This leaves firms between a rock and a hard place. Not having cyberinsurance isn’t an option if it’s a mandated board level requirement. Meanwhile, the potential cost and risk exposure associated with cyberattacks means businesses can’t afford not to have an insurance safety net in place.
Given all these difficulties, how can organisations meet these cyberinsurance challenges head on?
Cyberinsurance – a rapidly evolving landscape
Since its beginnings in the 1990s, the cyberinsurance industry has experienced rapid and meteoric growth that mirrors the dramatic increase in digital crime. So much so that analysts are predicting that the global cyberinsurance market is set to reach over US$90 billion by 2033. That’s a significant jump from the US$12 billion market valuation of 2023.
According to the Association of British Insurers (ABI), cyberinsurance cover applies to the losses and liabilities that can arise from a breach, ransomware, damage to digital assets and business interruption, and includes the provision of assistance managing cyberevents when an incident occurs. For organisations that are victims of cybercrime, this form of insurance has proved invaluable for recovering from an attack event and resuming business-as-usual operations.
However, the evolving nature of cybercrime, the increasing frequency of attacks and claims, and the growing scale of payouts has prompted the insurance industry to raise premiums and tighten their underwriting terms and conditions. According to industry figures, the average insurance claim for an SME now stands at US$345,000 per incident.
The implications of all this for organisations looking to utilise insurance to minimise their cyber-risk exposure are significant and only set to increase.
Cyberinsurance – navigating the cost and tightening criteria
Organisations are finding it more difficult to get comprehensive insurance coverage at a reasonable price. According to recent research, almost 80% of firms encountered higher insurance rates upon application or renewal, with over two-thirds saying these increases ranged between 50% and 100%.
With ransomware now representing the greatest source of cybersecurity insurance risk, both in terms of frequency and cost per incident, insurers have responded by significantly tightening their underwriting criteria.
Organisations must now demonstrate they have effective identity and access management in place, together with network segmentation and an appropriate backup and recovery strategy. In addition to these foundational controls, businesses find they need to undertake comprehensive threat evaluations and implement tailored prevention, detection and response controls.
Despite this uptick in requirements, insurance companies have simultaneously reduced the level of cover on offer and many policies no longer cover the full range of costs associated with a breach. As a result, organisations may find it difficult to recoup losses related to long-term reputational damage, the loss of customer trust or get back the complete cost of data recovery and system restoration.
Together, these issues can drive organisations to reach a pivotal decision point. Does the cost and complexity associated with getting cyberinsurance in the first place outweigh its potential benefits?
Looking to the future: Reframe and focus on resilience
Regardless of whether an organisation makes a claim on an insurance policy or not, it’s important to keep in mind that cyberinsurance should never be viewed as a ‘get out of jail’ card. Instead, it should be viewed as a last resort that is used to underpin an effective cybersecurity strategy.
While an insurance policy can help organisations recover some, or all, of the costs incurred following a breach, it won’t address a number of issues that follow in the wake of operational disruptions. These intangible challenges can include dealing with employee stress, customer dissatisfaction and more.
In this day and age, organisations must assume that the likelihood of a cyberattack is now a case of ‘when’ not ‘if’, and plan accordingly. That means investing appropriately in protection and resilience technologies, alongside comprehensive user training and compliance processes, that together deliver a truly robust defence against threat actors.
There’s no getting away from the fact that it’s better to implement the cyber-resilience controls needed to minimise any need to make an insurance claim in the first place. Organisations that are appropriately prepared for security incidents are more likely to resist an attack in its entirety or quickly mitigate its impacting, getting IT systems back up and running within minutes of an incident with no significant data loss.
Adopting a multi-dimensional approach
Organisations that opt to combine insurance with a comprehensive and forward looking IT and business resilience strategy will be in the strongest possible position to limit exposure. Ultimately, insurance should be one element of a robust and unified risk management system that should feature attack defences alongside comprehensive resilience and recovery capabilities that make it possible to come back fast from a ransomware attack.
Looking ahead, the cyberinsurance market looks set to bring in additional price increases alongside ever more stringent cybersecurity requirements. Organisations that pursue a more holistic cyberstrategy will be able to demonstrate to underwriters that they have the backup, Disaster Recovery, detection and data vault capabilities needed to protect their data in a comprehensive fashion.
One thing is for sure, with a recent industry study finding that 21% of insurers now specifically exclude ransomware from their policies, the importance of focusing on resilience is only set to grow.