The cyber insurance market is changing fast, and conditions are getting tougher as the market hardens for the first time in its 15-plus year history. While most organizations already have some cyber insurance coverage, many are finding the bar for renewal is getting higher as capacity shrinks – and premiums are going up.
Good cybersecurity can help with cyber insurance in multiple ways: from facilitating access to a policy approved through underwriting to lowering premiums and reducing the likelihood of making a claim. This guide provides an overview into the state of the cyber insurance market and explains the different ways that cybersecurity can positively impact your insurance. It also details the Sophos technologies and services that can help you reduce your premiums and lower your risk.
Cyber insurance, also commonly known as cyber risk insurance and cyber liability insurance, protects you from the impact of cybercrime (though not from the crime itself). Broadly speaking, there are three main benefits to having cyber insurance:
While cyber insurance claims can be triggered by a wide range of incidents, the most frequent cause of claims according to NetDiligence's Cyber Claims Study 2020 are four common threats: ransomware, social engineering, hackers, and business email compromise (BEC)(1).
Cyber insurance covers the costs incurred as a result of a cyberattack. While individual policies vary, they typically cover:
When sourcing policies and comparing costs, it’s worth noting that the costs of business interruption, such as loss of income or additional costs of work due to the cyberattack, are included in some policies, but not others.
In the event of a cyber incident, the insurance provider will step in and provide experts to help deal with the situation. For a ransomware attack, they will typically:
Many policies include both first- and third-party coverage. First-party coverage is direct costs associated with the response to the attack, for example legal fees, forensic fees, customer notification fees, PR fees, and so on. Third-party coverage is primarily costs associated with lawsuits.
Within a policy, there may be specific sub-limits for first-party coverage, and even for specific items of first-party coverage. For example, first-party coverage may be limited to $500,000, which includes a limit of $50,000 for PR costs.
84% of organizations have some form of cyber insurance according to an independent survey of 5,000 IT decision-makers in mid-sized organizations commissioned by Sophos(2). Cyber insurance is commonplace across all industries, however the utilities sector, including energy and oil/gas, is most likely to have cyber insurance (88%), alongside media, leisure, and entertainment. This is understandable, given the high impact of a cyberattack on the utilities sector and its extensive use of legacy infrastructure that is often a target for attacks.
Only 64% of organizations surveyed, however, had cyber insurance that covers ransomware, leaving one in five (20%) exposed to the full cost of a ransomware incident despite investing in cyber insurance(2). The takeaway here is to make sure that you’re fully aware of the details of your policy and what it covers.
The public sector is least likely to have both cyber insurance (72%) and insurance against ransomware (52%). This is concerning, as public entities are a frequent target for cyber criminals as well as amongst the least able to defend against a ransomware attack with the Sophos State of Ransomware 2021 report revealing that:
Conversely, financial services is the sector with the highest level of insurance coverage for ransomware (72%) as well as one of the highest overall levels of cyber insurance. This sector, which can be perceived to be a lucrative target for cybercriminals, is leading the way in insurance readiness.
A recent survey of cyber insurance brokers and cyber underwriters from around the world by Advisen and Partner Re provides insight into the top drivers of new or increased cyber insurance sales(3). It is perhaps unsurprising that the top two factors behind the take up of cyber insurance are news of cyber-related losses experience by others and experiencing a cyber-related loss. However, in third place is board or senior management demand. This high level of demand from leadership teams reflects the cross-organization
devastation that a major cyber incident can cause. Defending against the implications of a cyberattack is now a mainstream business issue, not just an IT challenge.
As with all other forms of insurance, the cost depends on multiple factors, including:
It is important to be aware of the distinction between deductible and retention policies. With a deductible policy, the deductible (known as ‘excess’ in some countries) is included in the overall policy limit. Conversely, with a retention policy, the retention amount is in addition to the policy limit.
In the SMB market, it is not uncommon for there to be just a single carrier for cyber insurance. However, in the large enterprise market, cyber insurance towers are common, as one single insurer cannot provide all the necessary risk transfer. Insurance brokers build towers for individual customers, bringing together two, three, four, or more providers. The first provider covers cover the primary risk transfer, with the remainder covering the excess risk transfer.
Cyber insurance carriers will often have pre-approved vendors/suppliers, called a 'panel', that they work with in the event of an incident. If the company experiencing the incident does not have any existing relationships with vendors/suppliers, the cyber insurance carrier will encourage or even require them to work with one of these 'on-panel' organizations.
That said, most carriers are also open to working with other reputable vendors/suppliers, especially if a pre- existing relationship and/or contractual terms exist. This is referred to as an 'off-panel' approval. Naturally, there are many financial and operational advantages to working with a supplier that already knows the organization experiencing the incident and is familiar with their IT and business set-up.
If your preferred supplier is not 'on-panel' with your insurance provider, you can request to use them. Early communication with your insurance provider is paramount so your preferred supplier's cyber insurance team can engage with the insurance provider for the appropriate approvals.
When selecting a cyber insurance policy, it’s important to choose the appropriate level of coverage for your organization. You need to be able to recover successfully and keep your business afloat if you experience a cyberattack – while at the same time keeping your premiums at an affordable level.
The costs to recover from a cyberattack are considerable, and rising. The average ransomware recovery cost for a mid-size organization hit $1.85 million last year, more than double the previous year’s figure of $760,000(2).
This increase is driven in large part by the growing complexity of many cyberattacks. Adversaries are increasingly combining automation and tools with hands-on hacking, leading to far more destructive attacks that are harder to recover from. We should also remember that a large part of the recovery costs is restoring IT systems to the level they should have been before the attack with advanced protection on all devices, not just returning to status quo.
Cyber insurance has, until now, been a ‘soft’ market, characterized by high capacity and low premiums. However, for the first time in its 15-plus year history as a standalone policy, the market is starting to harden, as insurers see their payouts rising faster than the income from premiums: the industry’s loss ratio has risen for the last three consecutive years, rising to 72.8% in 2020(4). (Loss ratio is insurance costs divided by total earned premiums. For example, if a company pays $80 in claims for every $160 in collected premiums, the loss ratio would be 50%.)
A number of factors are driving this hardening of the market:
The result of this market hardening is higher premiums, with the cost of standalone policies in the US climbing 28.6% in 2020(4). It’s also getting harder for many organizations to get insurance in the first place as the underwriting process grows more and more rigorous and overall capacity drops.
Our cyber insurance is up and we’re having to jump through more hoops than we’ve ever had to before.
Corporate travel company
This hardening of the market creates a particular challenge for public entities, which are often considered to be easy targets for cybercriminals due to their weaker defenses. As a result, public organizations looking to obtain or renew coverage are facing fewer providers and tougher conditions, with prices sometimes doubled year over year.
Where [insurers] used to offer $10 million in limit, it's now $5 million.
Jack Kudale, CEO, Cowbell Cyber Inc.
The good news is that cyber insurance invariably delivers if the worst happens and you fall victim to a cyberattack. In Sophos' State of Ransomware 2020 survey, 95% of respondents insured for and hit by ransomware said the insurance provider covered costs resulting from the attack. In over two thirds (69%) of incidents the insurance provider covered the cleanup costs to get the organization back up and running again. In 44% of incidents the insurance paid the ransom, and in 29% it paid other costs such as those incurred for downtime and lost opportunities.
Insurers paid out in 95% of incidents
There is a direct relationship between cybersecurity and cyber insurance, and having strong cyber defenses in place can help in a number of ways:
In light of the challenges facing the cyber insurance market, providers are focusing increasingly on managing – and reducing – risk. Good cybersecurity can help you reduce your cyber risk which, in turn, makes you a more attractive prospect for cyber insurance coverage.
Advanced next-gen protection: Having robust security solutions in place and correctly deployed will reduce your cyber risk. In fact, next-gen protection is fast becoming a pre-requisite to secure cyber coverage, with managed detection and response (MDR) services, endpoint or extended detection and response (EDR/ XDR) technologies and next-gen endpoint protection the most common requirements.
Legal wants to get ransomware insurance and [MTR] is the step we need to get it done.
IT technology and solution provider, global reach
Multi-factor authentication is now often a requirement to secure coverage as insurers look to close a common security gap before they absorb risk.
Our cyber insurance renewal is predicated on us enabling MFA for remote access.
IT support and services provider, USA
I was told that if we don’t get MFA within a year, our cyber insurance will be dropped.
Healthcare provider, USA
Incident response plan: A third area to consider is business continuity readiness i.e. how prepared are you for a major cyber incident. The best way to stop a cyberattack from turning into a full breach is to prepare in advance. Often, after an organization experiences a breach, they realize they could have avoided a lot of cost, pain, and disruption if they had had an incident response plan in place. Having a detailed plan that enables you to minimize the impact of an incident will reduce your cyber risk, making you a more attractive prospect to insurance providers.
Just as an alarm and window locks reduce your home insurance premiums, so having advanced IT defenses helps reduce your cyber insurance costs. While the insurers’ exact premium calculation algorithms are a closely-guarded secret, customers consistently say that the quality of their protection impacts their premiums.
Because we didn’t have EDR installed on 100% of our appliances, the insurance [costs] doubled.
Web hosting company, USA
As with other forms of insurance, if you make a claim, you can expect a significant increase in your premiums in subsequent years. By minimizing your risk of being impacted by a cyberattack you reduce the likelihood that you’ll need to call on your policy – and help keep your premiums down.
Poor IT security hygiene can prevent you receiving financial support in the event of an incident. If the insurer believes that you ‘left the door open’ through weak practices, they may have grounds to not pay out.
We do not pay for any claims, losses, breaches, privacy investigations or threats due to the use of outdated or unsupported software or systems.
Hiscox Cyberclear™ policy wording, UK, June 2021
By eliminating these gaps, you can help ensure that, should the worst happen, the insurance company will step in.
Responding quickly and appropriately to a cyberattack can significantly reduce the impact and cost of the incident. Having a malware incident response plan in place and being able to call on experienced incident responders will help you minimize the fall-out from the attack.
Advanced next-gen protection: Endsight provides the advanced threat protection that is increasingly required to qualify for insurance coverage and keep premiums down – all backed by the threat intelligence and cybersecurity expertise of artificial intelligence and security ops.
Multi-factor authentication: Endsight enables you to meet MFA requirements, while also elevating your security.
Incident response plan: When assessing risk, insurance providers are increasingly asking organizations about their disaster recovery readiness as good preparation can reduce the cost, pain, and disruption of a cyber incident.
Endsight's cybersecurity solution gives you world-leading protection against ransomware, malicious hacking, and other advanced threats. Our solutions help you minimize the risk of experiencing a major cyber incident, reducing the likelihood of needing to make a claim and helping keep premiums down in the future.
Endsight's cybersecurity solution makes it easy to identify IT hygiene issues and security gaps that could prevent an insurer paying out, such as the use of outdated software. Armed with this information, you can address issues and help ensure that, should an attack happen, the insurance company will step in.
If the worst happens and you get hit by a cyberattack, the incident response experts we've partnered with can help you get out of the danger zone fast and minimize the impact and cost of the incident.
The cyber insurance market is getting tougher as premiums and the bar to get coverage go up. Having good cybersecurity in place will help you reduce the cost of your cyber insurance and minimize the risk of making a claim. It also helps ensure that, should the worst happen, the insurance provider will pay out.
Endsight can help you get the cyber defenses you need to optimize your cyber insurance coverage. To discuss your requirements and how Endsight can help, please reach out.
Referenced sources:
(1) NetDiligence Cyber Claims Study 2020. Data for organizations with less than US$2 billion annual revenue
(2) The State of Ransomware, 2020, Sophos
(3) Cyber Insurance – The Market’s View, Advisen – Partner Re, September 2020. Survey of 260 cyber insurance brokers and 190 cyber underwriters from around the world
(4) S&P Global, June 1, 2021
Thanks to Sophos for helping us produce this content.
California-based organizations hire Endsight to ensure that their systems operate effectively. Their investments in IT align with their business goals; and they rely on our award-winning helpdesk support, secure environment, and strategic guidance to thrive.
