Is cyber insurance a worthwhile investment?

Gauging the value of cyber insurance

Cyber insurance premiums are becoming costlier by the day. In the first quarter of 2021 alone, cyber insurance premiums rose by an average of 18% owing to the increasing number of claims and thinning margins of cyber insurers. It’s now time to evaluate whether the amount of coverage is affordable and delivers real value to the policyholder. Below are five questions to help organizations assess whether carrying cyber is a worthwhile investment:

1. What is our risk exposure?

Organizations should be fully aware of what’s at stake from a cyber risk perspective because each company carries various degrees of risk relative to their distinct type of attack surface. Assessing cyber risk against well-known security standards or frameworks such as ISO/IEC 27002, the NIST Cybersecurity Framework or the ISF Standard of Good Practice for Information Security, can serve as a good starting point for determining a company’s risk posture. Risk assessments not only frame the organization’s requirement for cyber insurance but also serve as evidence for efficiency in risk management. Insurers evaluate how a company measures, monitors and manages its risk and therefore entities with a sound security posture are in a better position to negotiate favorable rates.

2. Is our risk insurable?

Once the business has insight into their risk exposure they can more successfully define their requirements from the cyber insurance policy. Most brokers can advise on the policy inclusions and it’s the policyholder’s responsibility to understand the nuances and evaluate whether the terms and inclusions of the policy meet their risk cover requirements. There will always be elements not covered under the policy and the organization must be prepared to accept those risks.

3. Do we have the right coverage?

The value of cyber insurance is mainly dependent on its ability to provide sufficient risk coverage should a cyber incident occur. Organizations that carry out a detailed risk evaluation are in the best position to determine the extent of coverage needed. Prioritizing risks and taking into account the losses associated with those risks can help businesses select the right type and amount of coverage. Ultimately, cyber insurance shouldn’t be an off-the-shelf type of solution, it must be tailored to the business.

Review gaps in traditional insurance policies as things like property/casualty, product liability, directors’ and officers’, kidnap and ransom, and general liability cover are also relevant in certain types of cyberattacks. The insurance industry has now started to eradicate “silent cyber” (cyber risks that are not explicitly mentioned in a policy) and a majority of them do not entertain any claims pertaining to cyber risks.

4. What does it cost to insure?

Given the fact that insurance is a risk-transfer process, there are several factors insurers take into account while arriving at a premium and agreeing to the terms of the policy. These factors can include:

• Coverage: Expenses that the insurer will reimburse.
• Exclusions: Types of loss that the policy will not cover.
• Premium: Cost of the cyber policy.
• Conditions: Eligibility criteria for the policy to remain valid and claims to be approved.
• Excess or deductions: Amount that organizations must pay before the claim can be made or insurance is paid out.
• Sublimit: Maximum amount that the insurer will pay for a specific type of loss.
• Aggregate indemnity limit: Total amount that the insurer will pay across all claims within a specified period.
• Waiting period: Period or amount of time by which an incident or a business interruption can be claimed.

Remember that the better an organization is at managing information risk, the better the terms and price of the policy will be. Having said that, other external factors govern the cost of insurance such as rising demand for insurance, escalating cyber claims or unstable geopolitical environments.

5. Do benefits outweigh the cost?

Businesses must make an informed decision of whether they accept the risk as it is and put it on the balance sheet or take up the policy and invest in cyber insurance. Even when the policy is affordable, it may not completely satisfy the business’s requirements and therefore it might be necessary to search for an alternative risk reduction method. That’s why choosing an insurer should not be the sole decision of IT, legal or the security team in isolation. All key stakeholders of the business such as the C-suite, legal counsel and insurance manager must closely scrutinize the policy and decide whether the terms offered justify the price quoted.

Cyber insurance is about sharing, rather than divesting, cyber risk. Organizations must establish a symbiotic relationship with insurers to enhance security arrangements and better manage cyber risk. By helping insurers gain a more sophisticated understanding of the organization’s security posture, both parties will be better equipped to gather the right information to accurately measure and model an organization’s cyber risk.