Good cyber hygiene and a strong risk management culture is the obvious approach to take if you want to try to avoid being one of those “company X just got hacked” news stories we increasingly see. But even if you are one of the fortunate organisations taking all the right proactive steps – and do forgive my pessimism – I am convinced that most if not all security leaders will be talking about when – and not if – their organisation will face an incident for some time to come.
With that in mind, many organisations are turning to cyber insurance to transfer some of their risk and gain rapid access to specialist support should the worst happen. Is this an effective use of your scant budget? Or a case of pulling the duvet over your head because you heard a noise downstairs (because, of course, you are very safe under that duvet!)?
The cyber insurance market was worth approximately $7bn in 2020. This is expected to triple to more than $20bn by 2025. Despite the projected growth, the market still lacks maturity, and underwriters have found themselves exposed to loss through a lack of knowledge.
Determining the likelihood of an organisation suffering an attack and its likely impact is riddled with uncertainty and speculation, unlike the more mature methods of determining a car driver’s likelihood of having an accident, for example. Cyber crime has risen to dizzying levels, with 66% of surveyed organisations suffering a ransomware attack in 2021 – a 78% increase over the course of a year. Geopolitical destabilisation, a pandemic and a cost of living crises are just some of the reasons for the increase. Should an organisation have to make a claim on their policy, the average claim settlement has been observed to be around $5m, according to analysis conducted in 2020, resulting in some early policies becoming loss-leading for their underwriters.
This has led to volatility of both premium cost and coverage offered. Last year’s premiums saw a 92% year-on-year increase in the US alone, according to the Wall Street Journal (which in part explains the expected growth in the market as mentioned above). Tighter eligibility and coverage conditions abound among underwriters looking to manage potential losses.
Organisations unable to demonstrate the most basic levels of control now find themselves shunned or facing premiums that are simply too high. The questionnaires and pre-assessments that are part of the policy application have become more granular than ever before, with one ISF member describing the process as an “outright audit”.
While insurers are building significant caches of data describing the market, we are yet to see any large-scale cost reductions or product optimisations being passed on to the consumer. Insurers are additionally leveraging automated discovery tools that provide a “scorecard” describing an organisation’s security posture – the same tools that are used to manage supply chain risk. Many suppliers work hard to ensure their scorecards are in order. You should bear in mind that this early precis of your organisation could influence your premium, too. It may pay to ensure this precis is continually accurate, both in terms of score and context.