Cyber insurance: why it pays to be responsible

A computer being guarded by cybersecurity.
(Image credit: iStock)

When you buy car insurance, you do so on the promise that you will demonstrate good behavior. You would not expect your car insurer to pay out if you broke the speed limit, never had your brakes or tyres checked, or left your pride and joy unlocked overnight. There is a mutual pact between you and your insurer. You take responsibility for your car’s safety and your own actions, and they pay out when bad things happen that you could not have foreseen, prevented, or mitigated against.

The same principle applies with cyber insurance. As an organization, you are 100% responsible for your own cybersecurity, and the insurance providers are there in the event of the unthinkable and unpreventable. For some businesses, especially small and medium-sized, having cyber insurance could mean the difference between staying open and going bust. That is reflected in the market’s growth, with Munich Re estimating cyber premiums will reach a value of $22bn by 2025.

However, as the volume of cyberattacks increases, insurance cover is now harder to get. That is because the financial losses from a breach have become disproportionate to the premiums that insurers charge. According to the IBM Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020, while blockchain analysis firm Chainalysis found that ransomware actors will make nearly $900 million from victims this year. 

This is evident from recent high-profile incidents including a ransomware attack on MGM Resorts, which took multiple systems offline at some of its major locations in Las Vegas and is expected to cost millions in remediation. Some have even suggested that there may be a causal link between ransomware and cyber insurance, with attackers using exfiltrated cyber insurance policies to dictate their ransom demands.

With cyberattacks on the rise, the importance of cyber insurance has never been more critical, in addition to ensuring a strong cybersecurity posture. However, insurance premiums continue to soar, and insurers have become increasingly cautious about the risks they undertake.

Tom De Laet

In the first quarter of 2023, insurance premiums have increased by 11%. This surge in costs is compounded by the fact that insurers are beginning to question whether their existing premiums adequately cover the risks associated with cyber threats. In response to this growing concern, insurers are tightening their underwriting standards and raising the bar for minimum cybersecurity requirements for policyholders.

To offset pay-outs, some insurers have taken steps to exclude certain costs. For example, Lloyds of London announced last year that they would no longer include nation-state attacks in its cyber insurance policies because it “exposes the market to systemic risks that syndicates could struggle to manage”. Meanwhile, in Australia, insurance giant Chubb won its case against automotive services firm Inchcape who was trying to claim for costs incurred in the clean-up and recovery of a ransomware attack. The court deemed it to be an indirect financial loss, and therefore not covered by the policy.

You may wonder then what your cyber insurance covers. Would you get compensation for losses as the result of an employee clicking on a phishing email? Would your provider honor a pay-out if you voluntarily pay a ransomware demand? This issue could become problematic when countries such as Australia and the United States are considering a ban on ransomware payments.

It is common that a cyber insurance policy would mostly cover the Incident Response (IR), forensic investigation and recovery costs associated with an attack. Most businesses are happy to insure on this basis, as the cost of that investigation could adversely impact cash flow, knowing that the cost of a data breach would be even more. However, many have not considered the actual financial impact, like loss of market share and the influence that has against share price.

When a cyber insurance company covers the investigation and recovery following an attack, they may bring in their approved legal and IR teams, who are specifically there to determine if any of the risks can be covered, and the cost of that. They are not seeking to perform the IR in a way that encompasses all the potential business risks mentioned above.

There are also increased penalties for data breaches, which may make some organizations look immediately to cyber insurance to try and help cover those costs. However, it is unlikely any underwriters would include these fines. This will be in the realm of legal counsel and law firms, which means the IR and investigation will need to be prompt and accurate, and the findings be defensible in a legal hearing.

Avoid a claim with preventative cybersecurity measures

The details of what is and is not covered by a policy will largely depend on the insurance provider, but across the board you should expect underwriters to take a thorough look into your security practices. They need confirmation that you have implemented preventative measures to mitigate risk and stop an attack from happening in the first place. They will check everything from email security, multi-factor authentication status and cloud backup procedures to endpoints, encryption, firewalls, and user awareness.

I am reminded of a case with a customer in the financial services space who was faced with huge insurance premiums and only two renewal offers on the table. After implementing preventative measures, the institution received six competitive offers and managed to reduce premiums up to 80% compared to the previous year. This was down to their ability to activate incident response and conduct comprehensive investigations before resorting to insurance claims. This level of control allowed them to make informed decisions, reducing unnecessary insurance activations and the associated costs.

Cyber insurance and cyber security working in harmony

The long-term viability of cyber insurance is still up for debate, but we know that prevention is the most effective way to demonstrate how seriously you take security when it comes to warding off cyberattacks. Businesses need to augment their stable of defense options to supplement rather than rely on cyber insurance to survive these incidents. In reality, the best insurance you have is to be more proactive in putting the tools, processes and people in place to do everything you can to avoid a breach.

Find the best identity management software.

Tom De Laet, Incident Response Team Lead EMEA at Check Point Software.