Nearly a third (29%) of organisations have seen an increase in the cost of cyber insurance in the past year, according to research from Databarracks. And two-fifths say they have seen more stringent requirements from insurers.
The price rise is partly due to an increase in attacks, but also because insurers themselves are still getting to grips with the market, says James Watts, managing director at Databarracks.
“Insurers haven’t had decades of actuarial data to use as a baseline for the cost of insurance, as they do for other risks,” he explains. “For example, in the case of ransomware attacks, paying the ransom appeared to be the cheaper option compared to restoring backups. But in the long run, it turned out to be much more expensive. What we’re seeing now is the result of that cycle over years, and insurers are demanding greater preparedness and prioritising recovery from backups over payouts.”
According to Panaseer’s research, 82% of cyber insurers expect to increase premiums over the next two years.
“Higher premiums are also being driven by traditional risk transfer practices,” said Jamie Akhtar, co-founder and CEO of CyberSmart. “Standalone cyber insurance – with no protection or monitoring – is quickly becoming obsolete as the threats increase.”
Increased requirements
Insurers’ requirements may include the use of tools such as multi-factor authentication (MFA) and endpoint detection and response (EDR). But processes are also important.
“In general, insurers are looking for evidence of a commitment to training, regular backups and good cyber hygiene,” says Watts. “We would recommend using a recognised risk management standard or cyber security certification, such as ISO27001 and Cyber Essentials or Cyber Essentials Plus.”
But it’s important not to focus too narrowly on information security solutions and certifications. Your cyber risk is part of your organisation’s overall risk profile.
“Some insurers are starting to look at a more holistic approach to risk transfer, combining risk assessments with ongoing monitoring of technical considerations and processes,” says Akhtar.
Too much?
These increased requirements place a heavy burden on organisations, especially smaller ones. If it’s too expensive and too difficult, some companies may turn away from insurance altogether.
“UK government data shows that only 50% of small businesses have any kind of cyber insurance, with only 10% having a specific policy,” says Akhtar. “And what’s more, most of that 10% is concentrated in the finance and insurance sectors – typically highly regulated and risk-averse industries. ”
But that doesn’t mean that uninsured companies simply accept the risk, says Martin Jartelius, CSO at Outpost24. There are other options.
“They will look for the most cost-effective way to reduce the risk,” he says. “For a small organisation, it will be easier, cheaper and quicker to get good off-site backups separated from the operational environment than it will be to get insurance.”
Falling short
Perhaps a greater danger is spending effort and money on cyber insurance only to find, when the worst happens, that you’ve missed something critical and the policy doesn’t cover you in the way you think it does.
“Most organisations that take out insurance don’t understand the limitations of their insurance well enough,” says Jelle Wieringa, security awareness advocate at KnowBe4. “As a result, when there is a successful cyber attack and they go to their insurance company with a claim, they are often disappointed.”
Organisations need to understand the limitations of their insurance policies, and this is a company-wide process.
“Most organisations have their legal department sign off on insurance policies,” says Wieringa. “But they may not have all the experience and knowledge needed to assess whether it covers everything your organisation needs. Involve IT, HR, security and senior management directly. Everyone needs to understand what is at stake.
