With the pandemic, the world has entered a new era of digitalisation and technological advancements. Today many day-to-day business activities are conducted using advanced digital technologies, which has also opened a new stream of cyber attacks. From 2021 to 2022, there was a 38% increase in global cyber attacks.
With increasing cyber attacks, cyber insurance is getting more attention. However, insurance companies are also tightening their cyber security policies considering the growing cost of cyber attacks and increasing vulnerabilities. So, this article will provide a comprehensive talk on why getting cyber insurance is becoming challenging and what are the cyber security needs within the insurance industry.
Cyber Insurance: A Quick Overview
Cyber insurance, or cyber security insurance, is an insurance policy that provides organisations coverage against data breaches and other cyber attacks. Cyber insurance can bear the cost of various activities after a cyber attack, such as:
- Cost for notifying customers about the breach.
- Cost for recovering compromised data.
- Cost for repairing damaged IT infrastructure.
- Legal fees and expenses.
- Income lost due to the attack and downtime.
Overall, cyber insurance covers all the crucial expenses an organisation has to bear after a cyber incident.
Why Insurance Companies are Becoming More Concerned about Cyber Insurance
In the past, getting cyber insurance was not difficult and costly because the scale of cyber attacks was not as devastating as it is today. However, now the costs and impacts associated with cyber attacks have skyrocketed. According to the Cost of a Data Breach 2022 report by IBM, the average data breach cost has increased to $9.44 million in the United States. Similarly, the Palo Alto Networks Unit 42 report highlighted an 82% increase in average ransom payments from 2020 to 2021.
The past two years have seen an aggressive jump in the number of successful cyber attacks. Therefore, it is no longer possible for insurance companies to have a soft hand while providing cyber insurance. In fact, insurers have witnessed a significant increase in loss ratios in the past 18 to 24 months due to rising cyber attacks and the severity of claims. Owing to that, insurance companies are re-evaluating their insurance policies in three main areas:
1. Increased Cyber Security Premiums
The first prominent shift made by insurance companies is the increase in the premiums that organisations have to pay. Just in the US, cyber insurance pricing has seen an average increase of 96% year-over-year in the third quarter of 2021. Likewise, there was a jump of 28% in cyber insurance premiums during the first quarter of 2022 compared to the fourth quarter of 2021.
This increase is justifiable considering the costly pay-outs insurance companies have to pay if an organisation faces a data breach incident. It is even projected that premiums might increase even more aggressively with new emerging threats to organisations. Therefore, it is likely that many organisations might not be in a position to afford to pay premiums.
2. Thorough Pre-Cover Activities
Besides increasing premiums, the pre-cover activities have also become stricter now, i.e., from a simple form filing activity to thorough security audits. Now, insurance companies want organisations to conduct a thorough risk assessment to present their current cyber security capabilities and the potential risks. Even there are insurers that use their set of tools within the customer’s network to assess the risks themselves.
Overall, insurance companies have become more cautious about pre-cover activities. Therefore, organisations looking to minimise premiums should implement top-notch cyber security policies to give insurance companies the trust that the infrastructure is less vulnerable to cyber threats.
3. Selective Coverage Industries
In addition to strict pre-cover activities and increased premiums, insurance companies are also limiting the coverage area. For example, Lloyd’s of London announced in August 2022 to exclude state-backed attacks from cyber insurance policies. Similarly, energy sector organisations are also facing issues from insurers due to their less effective cyber security protocols. In short, insurance companies are now showing more caution about which industries they intend to cover in their policies.
Cyber Security within Insurance Companies
Insurance companies are not just meant to provide cyber insurance, but they are also vulnerable to cyber threats. Mostly, insurance companies are using digitalised technologies for carrying out day-to-day operations. From policy and products to customers information, everything is based on data. Moreover, they store plenty of sensitive data of customers compared to many other industries. Therefore, they are one of the favourite targets of cyber criminals.
Black Kite’s recent report on Cyber Insurance Risk in 2022 presents that 82% of large insurance providers are vulnerable to phishing attacks. In fact, insurance companies that provide cyber insurance are shown to be attractive targets of ransomware attackers. Attackers first try to obtain policy details on how much coverage the company is giving for a ransom payment and then deploy the ransomware attack to ask for the specific ransom that the company can pay.
These days, attackers are now preferring to threaten the company with the disclosure of data instead of traditional encrypting files. The threat of disclosing compromised data into the dark web for more misuse by other criminals is the fear insurance companies don’t intend to face. Thus, insurance companies are not just concerned with the cyber insurance policies they provide, but they are equally concerned about cyber security within their own infrastructure.
Wrapping Up
With the growing buzz around cyber security, organisations need cyber insurance to give their customers and stakeholders confidence about long-term reliability. On the same side, insurance companies need to tighten cyber insurance policies due to the significant pay-outs.
However, the cyber insurance market is projected to grow at 18.2% CAGR 2022-2023, from $9.5 billion in 2021 to $61.2 billion by 2032. Therefore, it is likely that insurance premiums and other procedures will get challenging, but organisations will still opt for cyber insurance. Similarly, we will see insurance companies opting for more robust cyber security measures to protect themselves from emerging cyber threats.