Cyber risk has become a major concern for businesses in recent years, as the rise of cyber threats, expanding attack surfaces, and security skills shortages continue to put organizations at a disadvantage. Many companies are now looking for ways to transfer liability onto a third-party carrier by investing in cyber insurance. However, relying solely on cyber insurance as a replacement for investments in best-practice cybersecurity may not be the answer.
At its core, cyber insurance helps companies of all sizes to insulate themselves from the financial impact of serious incidents such as data breaches and leaks. Depending on the policy, it can provide access to pre-breach assessments, vetted vendors, and information to help enhance resilience before an incident occurs. It can also assist with post-breach notification, forensic investigation, legal services, and crisis management expertise. Other benefits may include financial support for legal costs and damage claims against your company, coverage for costs incurred to keep business operational and restore data, as well as loss of revenue.
There are two main types of coverage: first-party and third-party. First-party coverage is related to the direct impact to your business of a cyber incident, including the cost of lost or damaged software, legal bills, forensics, customer notification, monetary theft, and more. Third-party coverage relates to claims filed by others against your firm for losses they experience due to a cyber incident, such as legal settlements with customers, lawyer and accountant fees, and more.
However, it is essential to note that cyberattacks on your company assessed to be “acts of war” may not be covered by your policy. Insurance companies have taken the controversial step to insert a cyber war exclusion clause in their policies to reduce carrier liability for state-sponsored attacks. Nonetheless, proving that a threat actor was carrying out an act of war could be extremely challenging.
Most companies invest in cyber insurance because of the surging cyber threats and associated costs, plus increasing scrutiny from regulators that have forced them to find tried-and-tested ways to mitigate risk exposure. The rise of hybrid working, combined with cloud and digital investments, has also helped to drive productivity and more agile business processes, but it has also increased the cyber-attack surface. For instance, unpatched home working endpoints, misconfigured cloud systems, and mobile-borne threats are just some of the tip of the iceberg. According to one 2022 report, 79% of organizations feel the recent changes to their working practices have negatively impacted their organization’s cybersecurity.
As a result of the increased risk, serious security incidents are more likely to occur, and they are becoming more costly too. For instance, the cost of cybercrime incidents reported to the FBI hit $6.9 billion in 2021. A year later, the total hit $10.3 billion—a 49% increase. That makes the total for the five years to 2022 a staggering $27.6 billion.
The cyber insurance market has undergone dramatic change over the past few years. A surge in ransomware breaches and subsequent claims during the pandemic led some to blame the sector for indirectly encouraging threat actors to launch attacks. The losses suffered by many carriers led to corrective action in the form of significant increases in premium rates and reduced coverage. However, prices have now stabilized, so policies are becoming affordable again.
Cyber insurance is evolving from being a lender of last resort to a security partner incentivizing good behavior that requires companies to put in place best-practice security controls and cyber-hygiene measures. Depending on the policy, these measures could include employee awareness training, regular backups, firewalls, encryption, two-factor authentication, access control, patch management, and disaster recovery planning.
SMEs and large businesses still rank cyber incidents as their number one threat. As costs mount, they will turn in even greater numbers to cyber insurance. That in turn should drive improved security, lower risk, and more affordable coverage. However, around half (48%) of SMBs still don’t have coverage, versus 16% of large organizations, according to the World Economic Forum (WEF). To optimize the use of insurance in the future, companies need to read the policy small print more carefully.
In conclusion, cyber insurance is critical in insulating businesses from the financial impact of cyber incidents. However, it should not be considered a replacement for investments in best-practice cybersecurity. Organizations need to adopt a proactive approach by implementing robust security measures to protect their systems and data in the first place. Only then can businesses minimize the risk of cyber incidents, and if it occurs, limit the damage effectively. Finally, investing in cyber insurance can provide an additional layer of protection and peace of mind.