The National Association of Insurance Commissioners (NAIC)’s November analysis of the U.S. cyber insurance market makes for interesting reading: the volume of cyber insurance premiums written grew by almost 30% in 2020, while loss ratios (that is, the losses paid out by insurers as a percentage of premiums paid) for many carriers was over 100%. This means that the carriers are losing out.
With the volume of high-frequency and high-severity cyber-attacks continuing to rise (as countless ransomware headlines attest), the cyber insurance market is looking at its exposure and coming to inevitable conclusions: policies are being reviewed. Premiums have jumped 73% in the U.S alone, as have deductibles. Greater specificity over what is (and what is not) covered has become a feature of many updated policies, as has the expectation that companies need to have greater security hygiene in place in order to qualify for insurance. To increase the likelihood of getting coverage, companies will need to prioritize risk mitigation, which means adopting a readiness approach to increase resilience to a cyber attack. The cyber insurance market, while growing, is also hardening.
While cyber insurance is becoming more costly and less available, headlines of high-profile cyber events crippling businesses loom large on the minds of C-suites and boards of directors, not least as greater board liability becomes a focus of liability action post-breach. And with greater digitization and disruption as organizations shift to complicated cloud and hybrid environments, there’s just that much more to get your head around. So, what to do?
Put Insurance into Perspective
First, it’s important to put insurance into perspective. A cyclist who buys health insurance will also make sure they have a good helmet. Insurance will help you recover when you’ve had an incident, but it won’t prevent an incident from happening. The ransomware gangs don’t unplug their virus-laden laptops when they notice your insurance policy (possibly quite the opposite). Insurance is just that: contingent.
Second, it’s important to recognize where and how you can deploy insurance to help. Demonstrating maturity of approach and being specific about the desired coverage can help ensure both the right fit of insurance into your broader risk management approach and reduce the premiums and deductibles for a “flat coverage.” A hardening market is one replete with opportunities and disruption, where new providers are looking to innovate. This can be an opportunity for companies if explored correctly.
Understand risks & opportunities
Here are some risks to think through:
Understand the risks to your crown jewels and how well-protected they are
Understand third parties, including suppliers, SaaS, and cloud dependencies
Train hard, fight easy:
Expect an event and try to anticipate the scenarios
Run simulations and exercises (at all levels) to build organizational muscle memory
Challenge yourselves and be honest about your security and readiness posture, capabilities, and capacities
Use your exercises to draw out assumptions and implied requirements
Know where you need contingencies and where insurance can fit:
Be clear about the first- and third-party coverage required
Be clear about the technology and business landscape that might be affected
Engage the insurance market and innovations that are available
Moving forward, cyber insurance remains an important mechanism (if not essential) for organisational risk management. But in a hardening market, cyber insurance is increasingly expensive. As organisations look around and engage brokers and others, one way they can help themselves is by focusing on reducing and bounding the areas of risk where insurance will help. Putting solutions in place that help increase resilience before an incident and reduce the severity of impact if an incident occurs is one great way to approach these conversations.