Cyber insurance policies are undergoing significant changes as insurers demand higher premiums and provide less coverage, leaving companies unprepared for potential breaches or security incidents. According to the “2023 State of Cyber Insurance” report by access-management firm Delinea, two-thirds of companies have seen their premiums rise by over 50% in the past year. Despite the increased costs, companies still feel the need to carry these policies and are allocating more budget to pay for the premium increases.
The reason for the rising premiums and stricter terms is attributed to the fact that the majority of companies (80%) have submitted at least one claim to their cyber insurance provider since obtaining a policy. Additionally, 47% have made multiple claims, highlighting the frequency of cyber incidents. Joseph Carson, chief security scientist and advisory CISO at Delinea, explains that insurance companies were not prepared for the high impact and frequency of cybersecurity incidents. However, with better data and improved decision-making processes, insurers are now able to make quantified risk-based decisions, resulting in higher premiums and more sufficient coverage for recovery.
The cyber insurance industry has experienced significant changes in recent years. Five years ago, insurance companies enjoyed profits with a loss ratio of 32%, meaning they paid out $32 in claims for every $100 earned in premiums, as stated in the 2022 Cyber Insurance report published by the National Association of Insurance Commissioners (NAIC). However, this ratio has worsened to 66%, reflecting a decreasing profitability for insurers. To combat this, insurance companies have increased premiums by 74% in 2021 and imposed stricter limitations on coverage, including capping payouts between $1 million and $3 million.
The industry’s shift towards using incident data for pricing policies has led to quick adjustments in premiums. Meghan Hannes, head of US cyber and tech underwriting management at insurance firm Beazley, explains that the economics of cyber insurance have undergone significant changes in the past five years, particularly with the rise of ransomware attacks. Insurers were strained to the limit during this period and had to increase prices rapidly to keep up with the evolving threat landscape.
However, the increasing requirements from insurers have resulted in significant gaps in coverage. Cyber insurance policies now may be void if a company fails to have security protocols in place, suffers an insider attack, or neglects to report the incident to their insurer first. Only about half of policies currently cover data recovery, incident response services, and the cost of impact on customers and partners. Smaller companies with limited security budgets face difficulties in obtaining coverage, with 28% of small-business applicants failing to acquire insurance compared to only 8% of large companies.
Although the rising premiums may be a burden, companies recognize the importance of cyber insurance and are allocating budget for it, albeit at a slightly lower rate compared to previous years. Hannes believes that prices will stabilize as insurers deliver products that are economically sensible, stable, and long-lasting.
One of the positive outcomes of obtaining cyber insurance is that it incentivizes companies to improve their security practices. Delinea’s Carson highlights that nearly all companies (96%) purchased at least one new security solution to meet insurers’ requirements. Insurance providers are now requesting better security best practices from businesses, making them more resilient against cyberattacks. Moreover, the onboarding process for cyber insurance often requires companies to adopt reliable backup and recovery processes, as well as multi-factor authentication, which ultimately enhances their overall cybersecurity posture.
In conclusion, companies must reassess their cyber insurance policies due to the increasing costs and reduced coverage. The cyber insurance industry has evolved to reflect the growing threat landscape and the frequency of cybersecurity incidents. While premiums have risen significantly, companies still recognize the importance of coverage and allocate budget accordingly. The requirements set by insurers for coverage have resulted in gaps in coverage and difficulties obtaining insurance for smaller businesses. However, the process of applying for cyber insurance has forced companies to enhance their security practices, leading to better defenses against cyberattacks.