Cyber-Insurance – Can companies afford it any more?

Is the golden age of cyber-insurance over?
15 August 2022

Cyber-insurance – always there for you. Until, maybe, now.

In early August, the Mobile Security Index 2022 revealed a staggering 22% increase in cyber-attacks on companies in 2021 – practically a 100% increase year on year. The Index attributed the rise in cyber-attacks to the combination of remote work becoming a post-pandemic reality and the increased freedom of remote workers, taking company technology into places where they were more vulnerable to attack. Now, Marsh, a leadeing insurance broker, has revealed that the cost of cyber-insurance rose by 102% in the first three months of 2022 alone.

There’s a chicken and egg logic to that – more attacks mean more claims, and more claims mean higher premiums. But the cycle doesn’t end at that point. Marsh has also warned that the increase in cyber-insurance costs – coupled with the financial pressures of an oncoming recession – will mean that fewer and fewer companies are likely to be able to either afford or qualify for cyber-insurance at all in 2023, just when they need it more than ever.

The company predicts that businesses face increasingly harsh economic choices as they go into 2023 and everything becomes more expensive even than it currently is – making cyber-insurance seem like a potentially unaffordable luxury. But meanwhile, insurers themselves are likely to decline cyber-insurance cover to some companies, or at the very least, impose significant coverage limitations if the companies don’t have a robust cybersecurity strategy in place.

No More Silver Bullet

The result of that would be to poke big holes into the safety net of cyber-insurance, so that if and when companies call on it to recover from a cyber-attack, they might well find getting recompense a much more complex and uncertain process than they have previously been used to. In essence, the rise in cyber-attacks and the resultant inflation of insurance costs may see the end of cyber-insurance as the ‘silver bullet’ that puts everything right after an attack.

Just at the point where attacks are on the rise to an unprecedented degree.

And also, at the point where regulatory regimes around the globe are tightening their definitions and demands before companies can make a cyber-insurance claim.

For instance, in the US, the National Institute of Standards and Technology is aiming to revise its Cybersecurity Framework during the second half of 2022. The EU is proposing a New Data Act, which could require safeguards against unlawful data transfer from IoT devices. The Australian Cyber Security Center updated its “Essential Eight” guidelines on cybersecurity in July 2022. And even the UK’s Information Commissioner’s Office is updating its guidelines on enhanced privacy technologies.

The Perfect Storm

The result of all these factors is a kind of perfect storm for cyber-attackers, and a potential nightmare for companies that find themselves between the devil of a historic rise in cyber-attacks, and the deep blue sea of an increasing financial and regulatory difficulty in getting the cyber-insurance they need.

“Factors like the supply chain crisis, inflation and skill shortages are all adding to the difficulty for organizations trying to execute on their cybersecurity strategy. At the same time, increases in insurance premiums, limits on coverage, increasing underwriting rigour, and capacity constraints are all limiting the accessibility of cyber-insurance for many,” said Peter Woollacott, CEO at Huntsman, a leading Australian cybersecurity firm, describing the storm as companies will be feeling it.

The truth is that for cyber-insurance premiums to fall again, companies across the industry will need to apply significant cyber-security measures in-house, to reduce the frequency and likelihood of cyber-attack, both within their own company (making themselves less of a cyber-insurance liability) and across the industry (relaxing the overall need for high premiums to cover the number of pay-outs).

Taking Action Now

That means firms now need to address cybersecurity through corporate policies (around the likes of passwords, remote worker protocols, VPN-usage, etc), and to take a harder line on cybersecurity risk within their organization and their workforce, both on-premises and remote.

Cybersecurity is in no sense susceptible to a one-size-fits-all solution, but there are baseline policies that companies can adopt and employ to minimize the risk of becoming a victim of cyber-attack in the first place, and seeing their cyber-insurance premiums rise above the already-rising market norm as a result of having gaps in their armor.

Bottom line, the more seriously a company can demonstrate they take cybersecurity, not only the lower their risk will be, but also the lower their premiums are likely to be as a direct result of that lowered risk.

Adding elements like:

  • Multi-factor authentication
  • End-point protection
  • Password managers
  • Restricted administrator privileges
  • Patch OS/application
  • Regular backups
  • Regular software updates
  • Tested business resilience planning, and
  • Disaster recovery planning

to a company’s cybersecurity platform shows the degree to which any company takes its cybersecurity. It’s also vital that both remote and on-premises staff are made aware of the importance of cybersecurity, since the MSI Report highlighted the fact that a lot of staff, especially when working remotely, prioritize deadlines over cybersecurity at present.

It’s worth doing all of this now as part of a corporate cybersecurity plan, because the measures we’ve already seen by regulatory authorities to toughen up their underwriting requirements around cybersecurity look to be just the tip of the iceberg. Forrester Research, in its Top Cybersecurity Threats for 2022 report in April 2022, forecast that insurers would be forced to include new underwriting requirements and greater scrutiny of what companies do to mitigate the risk of cyber-attack in future.

It’s also likely that it will soon no longer be enough to act independently as a company to protect only your company. Businesses that form a link in the technology supply chain will soon be asked about their cybersecurity mitigation actions to protect the whole of the supply chain – or at least the whole of it with which they interact.

By adopting a cybersecurity strategy early, businesses can help not only mitigate their own risk of cyber-attack, but protect their supply chain, and limit the difficulty they have getting cyber-insurance, despite the current perfect environment for attackers.