Why Insurers are Shifting the Industry
Cyber insurance protects organizations from the financial and operational impact of cyber attacks – but not from the attack itself. Getting approved for the appropriate amount of cyber insurance coverage is crucial to risk management, but over the last three years, insurers and underwriters have changed their approach to accommodate the rising claims from ransomware, social engineering, hacking, or email compromise. Over 50% of insurance brokers’ clients saw prices go up 10–30% in 2020, then another 30-40% in 2021. What’s the cause of these changes?
1. Industry Costs are Rising
In the past, cyber insurance was a soft market characterized by high capacity and low premiums. The world we live in today has changed that. Systems, processes, and workflow changes have increased costs for insurers – but the threats have evolved too. The costs associated with recovering from a cyberattack have skyrocketed in the last few years, going from $760,000 to $1.85 million. The entire cyber insurance industry has hardened as insurers see their payouts rising faster than the income from premiums. Changes have to be made to account for rising costs and threats.
2. Coverage is Changing
Businesses that have cyber insurance have been used to minimal security requirements and lax underwriting resulting in full coverage, no questions asked. But now? Insurers are becoming willing to restrict coverage, with ransomware events being the most affected area of coverage. Sub-limits, co-insurance, and even ransomware exclusions are becoming more common.
Forbes Technology Council comments, “In the foreseeable future, cyber insurance companies will likely mimic healthcare insurers by mandating so many exclusions, co-pays and deductibles that cyber insurance policies will barely be worth purchasing. As insurers set caps or walk away entirely, businesses and consumers will be left to absorb massive losses.”
3. Remediation is More Complicated
In 2021, the average breach lifecycle is 287 days. And there’s a lot to do in those 287 days! Does your business have three quarters of a year to recover from a breach?
Remediation involves forensics, security experts, legal teams, regulators, PR consultants, breach notification processes – how do you know what’s covered by insurance and what isn’t? Historically, businesses have been able to submit a claim and get the money they need to remediate. These days, too many businesses get caught off guard once they submit a claim because they realize their policy doesn’t cover everything associated with remediation expenses.
4. Guidelines are Not Standardized
Because the cyber insurance industry is evolving so rapidly, underwriters are struggling with standardization for coverage. Every provider is doing things differently. What we know is that underwriters care about gaps in risk profiles. If a business is not doing anything to protect itself from ransomware, underwriters won’t be interested in covering them. There won’t be payouts for compromise due to the use of outdated or unsupported technologies and processes. Businesses could be subjected to limited coverage, modified policy language, sublimit, co-insurance, or additional premium charges if a provider decides the risk profile is too high.
5. Applications are More Complex
Cyber insurance applications, in the past, were pretty painless to complete. Submit your application for a high dollar policy, but insurers don’t need to verify much else. No one looks at the effectiveness of risk management practices. But because of the increase in claims due to cyber attacks, insurers are taking a closer look during the underwriting process. The days of quick cyber insurance applications are gone. They’ve begun to focus on implementation of foundational elements of security, like MFA, IAM policies, backups, and employee training. In many cases, underwriters are even collaborating with cyber professionals to properly evaluate risk and scope coverage.
With the right guidance and planning, you can renew an existing policy with minimal changes in coverage or fees – but it’s critical that you understand the changes in the industry and your risk profile.
To prevent denials or a decrease in coverage, start preparing for your renewal with our self-led security risk assessment. If you’d prefer an IT expert to walk you through the process, get in touch with us and a member of our team would be more than happy to assist.