The price of protection: Why cyber insurance premiums are on the rise

The price of protection: Why cyber insurance premiums are on the rise The price of protection: Why cyber insurance premiums are on the rise The price of protection: Why cyber insurance premiums are on the rise
Photo of Harvina Bains

Harvina Bains

Security Blogger

23rd May 2023

Introduction

Recent statistics indicate that there are 2,200 cyberattacks per day with an attack happening every 39 seconds on average. As a result of this increased frequency and the severity of cyberattacks more businesses are considering cyber insurance as a safeguard. But what is the cost and how much protection is it really providing?

Cyber insurance was created to help businesses cover the costs related to suffering a cyberattack. This could be the damage or loss of information from IT systems and networks, investigation costs, damages or compensation payments to affected parties. However, it’s important to note that cyber insurance is not a ‘quick fix’ for improper security controls. Just like when you have home contents insurance, you still lock your doors to help prevent needing to make a claim. Cyber insurance should be treated no differently.

In this blog, we explore the reasons why cyber insurance premiums have increased by up to 150% and outline the necessary security controls you need to qualify for a cost-effective policy and protect your business.

Why are premiums going up?

Premiums for cyber insurance rose by 62% in 2022 following a 91% increase in the previous year. Several factors have contributed to the increases, including challenges in underwriting policies, limited reinsurance investment, and the volatility in cyber threats.

The reason why underwriters are facing challenges with cyber insurance is due to:

  • Lack of historical data – in comparison to other lines of insurance such as natural disasters, cyber is relatively new. There haven’t been enough cases to effectively formulate a model to base policies on.
  • Lack of sufficient cyber data – insurers are only aware of cyberattacks that are reported on. The law doesn’t require all breaches to be reported, only those that impact data on employees, customers or clients. The lack of data available is making it difficult for underwriters to measure all of the costs that are associated with cyberattacks.
  • Awareness gap – organisations lack knowledge about their internal preparedness for cyberattacks. Many companies still don’t have basic cyber hygiene measures in place which makes it extremely difficult for insurers to establish the level of risk.

Also, the demand for coverage has risen as costly cybercrime incidents have increased, with ransomware attacks being one of the leading causes.

Businesses have been claiming for cover against activities relating to response, recovery, business interruption and reputational damage. We’ve seen this just recently when Capita announced they expect to pay up to £20mn to cover professional fees, recovery and remediation costs following a Russian ransomware attack.

The uncertainties in the market paired with high pay-outs have caused insurance companies to be more cautious about cyber insurance offerings. Insurers have now made changes to three key areas to combat the challenges. These are:

  • Increasing cyber security premiums – due to the increase of claims and severity of attacks
  • Thorough pre-cover activities – insurers are moving away from simple forms and now want organisations to carry out thorough risk assessments to establish their eligibility for a policy
  • Selective coverage – insurers are now setting clearer conditions about what they’ll cover, for example some insurers have now excluded state-backed attacks from their policies.

So, what can you do to bring that premium down and keep your business secure?

What requirements are insurers looking for

As insurers try to understand risk levels, underwriters are now starting to form correlations between certain cyber controls and how they correspond with cyber incidents.

This has resulted in the underwriting process becoming more rigorous as insurers are carefully analysing all cyber insurance applications. They are asking more questions and seeking evidence about your existing security measures and risk controls.

To help quantify risk more accurately and provide appropriate support to businesses, insurers have defined twelve cyber security controls they recommend you implement if you wish to obtain cyber insurance.

The twelve recommended controls are:

Pen testing certificate Multi-Factor Authentication
Pen testing certificate Endpoint Detection and Response (EDR)
Report with prioritized threat list Secured, encrypted and tested backups
Dedicated account manager Privileged Access Management (PAM)
Expert remediation advice Email filtering and web security
Expert remediation advice Patch management and vulnerability management
Expert remediation advice Cyber incident response planning and testing
Expert remediation advice Cybersecurity awareness training and phishing training
Expert remediation advice Hardening techniques
Expert remediation advice Logging and monitoring
Expert remediation advice End-of-life systems replaced or protected
Expert remediation advice Supply chain risk management

As a prospective policy holder, it’s advised that you have at least the top five in place as a minimum before getting cyber insurance quotes. These are the main controls insurers want to see evidence of. The other seven are recommended controls that will help improve your security posture and provide reassurance to insurers that you are taking a proactive approach. The more controls you can evidence the better your premium and coverage will likely be.

If you do not implement any of the controls mentioned above, you can expect higher premiums, unfavourable terms and conditions and even refusal of insurance coverage.

Why investing in security tools is more beneficial than insurance alone

While we know insurance can provide financial protection against the losses incurred due to a data breach or cyberattack, it does not provide any protection against these attacks happening in the first place.

Investing in robust security tools allows your organisation to be proactive in the fight against cyberattacks and helps to prevent the subsequent disruption to your business operations.

Below we’ve listed our top five reasons why you should invest in security tools before taking out a cyber insurance policy:

  1. Prevention and mitigation –By implementing security measures such as firewalls, intrusion detection systems, encryption, and access controls your business can significantly reduce the likelihood of a successful attack.

  2. Protect sensitive data – security tools help safeguard customer information, intellectual property and financial records. Breaches can result in the loss, theft or exposure of this data, which leads to legal consequences, reputational damage, and loss of customer trust. Protecting this data with adequate security measures is vital for long-term success and stability of your business.

  3. Reputation and customer trust – a data breach can significantly damage your organisation’s reputation. When customers perceive your business as insecure or negligent in protecting their information, they may take their business elsewhere. With the right security tools, you can demonstrate a commitment to data protection and maintain customer confidence, loyalty and brand reputation.

  4. Operational continuity – a significant breach can disrupt business operations which leads to downtime, loss of productivity and financial consequences. Having the right security tools in place will help maintain operational continuity by preventing or minimising the impact of cyber incidents. It allows your business to continue serving customers and avoid potential revenue losses and other associated costs.

  5. Regulatory compliance – many industries are subject to specific standards and guidelines set by governing bodies to demonstrate prevention and mitigation against cyberattacks. Examples of these include GDPR, PCI DSS, ISO 27001 and HIPAA. Compliance with these regulations requires implementing specific security measures and demonstrating due diligence in protecting data. Investing in security tools helps to maintain this compliance and avoids potential penalties and legal issues.

While insurance can provide financial protection after a breach, it should be considered as part of a comprehensive strategy rather than a standalone solution. By investing in security tools properly your business can proactively address risks, preventing them from becoming incidents.

Applying for cyber insurance

When looking for a cyber insurance policy we recommend you do the following:

Start preparing early

Start preparing early

If you’re thinking of taking out a new policy or are renewing an existing policy, take some extra time to familiarise yourself with the requirements and to understand the level of cover you’re eligible for.

Be proactive

Be proactive

Now is the time to tackle the security measures you haven’t got. With many controls now seen as a minimum requirement, you need to ensure everything is in place before applying for a policy

Use an experienced insurance provider

Use an experienced insurance provider

The threat landscape is very volatile, and the way different insurers handle claims vary. Be confident that your chosen provider can sufficiently support you when you need to make a claim.

Use pre-breach services to your advantage

Use pre-breach services to your advantage

Many insurers will offer free resources for policyholders such as training, templates and readiness assessments to help with reducing risk. This is a win-win for you and the insurer.

How Defense.com can help

The controls that insurers define as a minimum requirement have been established as best practice for several years, but we are still seeing businesses struggling to adopt them due to budget constraints, lack of in-house knowledge and board buy-in.

For businesses that are in this position particularly those that operate as SMEs, that checklist can appear quite daunting. The cost implications for having a dedicated security team in place can be a large and expensive undertaking.

That’s where we come in.

We offer expert guidance and support that can help you achieve a proactive cyber security mindset and give you confidence about reducing cyber risk.

We can provide comprehensive risk assessments; help identify vulnerabilities and pinpoint gaps in your existing security measures to provide recommendations for improvement.

With a Defense.com package, you can benefit from:

As well as offering other services such as penetration testing, outsourced DPO and virtual CISO.

We can help you meet cyber insurance requirements and provide the peace of mind of knowing that your business is adequately protected in the event of a cyberattack.

To find out more information about how we can support you, contact us here .

In Summary

The rising premiums in the cyber insurance market highlight the growing importance of robust security measures for businesses. While cyber insurance provides financial protection, it should be seen as part of a comprehensive strategy rather than a standalone solution.

By partnering with a cyber security provider, you can benefit from skilled security professionals supporting your business and the tools you need to demonstrate your preparedness to insurers.

Protect your business from cyber attacks

Identify, prioritise and remediate all your security threats with Defense.com™ XDR.

Subscribe

Get actionable cyber security advice and insights straight to your inbox.