What is Cyber Insurance and Why Do You Need it? (2024)

What is Cyber Insurance and Why Do You Need it? (1)

Written by
Joseph Carson

Share:

The insurance industry is evolving to help your business mitigate risk—specifically, cyber insurance is evolving fast. Cyber insurance offers a safety net for businesses threatened by the rapid growth of insider cybercrime and external cyber threats, particularly ransomware. While cyber insurance has been a reliable safety net for years—driven by accelerating insider cybercrime and exploding ransomware attacks—things are changing fast.

Before you seek cyber liability coverage or negotiate your next insurance policy renewal, it’s important to understand the dynamics of the rapidly changing market and consider how well your security controls will stand up to an insurance company’s review. (Our sample Cyber Insurance Readiness Checklist guides you through the top questions most insurance companies ask.)

This blog will answer some common questions about cyber insurance and make sure you get all the facts you need.

The rise of cyber insurance

What is Cyber Insurance and Why Do You Need it? (2)

The cyber insurance market is expected to reach $20.6 billion by 2025, according to the latest estimates. That’s up from $7 billion in 2020. The booming market is a reaction to the explosion of cyberattacks in the last few years. In 2021, there was a 50% increase in cyberattacks over 2020, much more than businesses or insurers expected or budgeted for. The cost of cybercrime is also continuing to increase, reaching $10.5 trillion annually by 2025.

What is Cyber Insurance and Why Do You Need it? (3)

Ransomware currently accounts for 75% of all cyber insurance claims, up from 55% in 2016. “There has been no reprieve in ransomware activity, suggesting that it will continue to be a prominent threat in 2022 as threat actors continue to exploit new vulnerabilities and attack vectors,” Insurance Business warns. Part of the reason for the continued ransomware increase is the willingness of businesses to pay the ransom demands.

How do these factors impact your cyber insurance strategy?

As you can imagine, insurance companies don’t want to be left holding the bag as cybercrime and ransomware increase. Thus, they’re raising insurance premiums. After misjudging risk in 2019 and 2020, some insurers have exited the cybersecurity insurance market, which allows those companies that remain to capture increased demand while keeping premiums high.

Cyber insurance companies are tightening security requirements

In addition, to reduce their risk, insurance companies are tightening cybersecurity requirements before they grant insurance coverage to their customers. Specifically, insurers are taking a close look at how well businesses follow security best practices, such as access control, multi-factor authentication, and the principle of least privilege.

What is cyber insurance?

Cyber insurance is a policy with an insurance carrier to mitigate a business’s financial risk exposure by offsetting costs related to damages and recovery after a data breach, ransomware attack, or another cybersecurity incident. It can shield you from the costs of investigations, forensics, compliance fines, lawsuits, and even extortion payments.

Until recently, cyber insurance was just extra liability insurance that you could add to your standard business insurance. But, traditional insurance policies only covered business interruption or breach of physical assets due to cyberattacks. Today, cyberattacks can cause a much wider swath of destruction for businesses. In insurance industry parlance, “the loss environment has increased.”

Don't just bolt on a bit of cyber insurance

As Michael Phillips, Head of Claims at Resilience Insurance, explains in Delinea's 401 Access Denied podcast, “it’s no longer sufficient to just bolt on a bit of cyber (insurance) onto your property policy.” Rather, you need coverage from insurers that understand cybersecurity and are willing to pay for those extra losses.

Let’s take a look at the types of players in the cyber insurance industry.

The cyber insurance ecosystem

Like other areas of business insurance, the cyber insurance ecosystem consists of brokers, insurers, and re-insurers. Most businesses seeking cyber insurance start by working with a broker who can obtain quotes from a variety of insurers. Those insurers range from the large, name-brand insurance companies with cyber divisions, to smaller companies that only provide cyber insurance. Some specialize in cyber insurance for specific industry sectors, such as healthcare, law firms, nonprofits, or retail.

Regardless of size or specialty, all cyber insurers have one thing in common: they’re learning as they go, trying to find their foothold in a fluid, ever-evolving market.

As you shop for cyber insurance, you won’t typically deal directly with re-insurance companies, but they play an important role behind the scenes. Re-insurance is best described as “the insurance of insurance companies.” Cyber Magazine explains: “Reinsurers have taken on an important role in the cyber insurance ecosystem over the past two years. They provide cybersecurity, share underwriting knowledge, give actuarial support, and help manage accumulation risk, in addition to enabling the pure risk transfer.”


What does cyber insurance cover and not cover?

There are two major types of cyber insurance coverage: third-party liability coverage and first-party coverage. You may choose to purchase either or both types of coverage.

  • First-party coverage protects your company when you incur expenses from a data breach or when your company is hacked.
  • Third-party coverage provides protection when a customer, vendor, partner, or other party sues you for allowing a data breach to occur.

Cyber liability coverage may spell out the types of incidents and damages they will pay for, such as “ransomware insurance” or “data loss insurance.”

Keep in mind, the products offered by the cyber risk sector of the insurance industry are evolving. Some cyber insurance providers are making big changes in the scope and scale of what they will and will not cover for businesses.

Some insurers are pulling back and insuring less or putting more limitations on their policies. French insurance company AXA, for instance, announced in August 2021 that it will stop paying ransom demands for future policyholders.

Make sure you know exactly what your cyber insurance will and will not pay for.

Be prepared for increasing cyber insurance rates

High demand combined with big losses is driving up insurance costs. For example, AIG announced that its cyber insurance premiums rose 40% in the past year. As AIG’s CEO, Peter Zaffino, explains: “We continue to carefully reduce cyber limits and are obtaining tighter terms and conditions to address increasing cyber loss trends, the rising threat associated with ransomware, and the systemic nature of cyber risk generally.”

The good news is there are ways you can keep your cyber insurance costs down, even while premiums are on the rise.

Cyber insurers are hungry for more data

Unlike other insurance sectors, cyber insurance lacks years of actuarial data required to balance pricing with the risk taken by the insurers. Cyber insurance has about 15 to 20 years of data to rely on, whereas other areas of insurance have hundreds of years of actuarial data at their disposal.

Cyber risk requires specialized models. Insurers must combine data science, cybersecurity expertise, and insurance underwriting skills to evaluate risk. Many have formed a dedicated “cyber engineering” group that understands how to conduct security risk assessments. Insurance underwriters and security experts are joining forces to act as a team. Not often do subject matter experts from such diverse fields collaborate to come up with a market price.

We all have an incentive to get this right

Michael Phillips, Head of Claims at Resilience, shares a behind-the-scenes look at how a cyber engineering team works in the 401 Access Denied podcast. Until recently, he notes, “cybersecurity professionals and cyber insurance professionals might have said, ‘these guys are getting in my way or they're intervening in my plan and program.’ Now, we're all incentivized to really address what is a much more comprehensive problem than it was 5, 10 years ago . . . now it's operational. It's privacy. It's data protection. And it's the health of the enterprise. We all have an incentive to get this right.”

How do you prepare to apply for cybersecurity insurance?

Expect in-depth questions that scrutinize your security controls and risk management practices. Cyber insurers look for common security risk controls. For example, cyber insurers may want to know how you’re doing regular testing for phishing and how you’re handling web content filtering and multi-factor authentication.

Cyber insurers evaluate cyber risk using a variety of models and metrics. Some, such as AIG, make their evaluation metrics available to the public. Others, such as Zurich, rely on a framework from the National Institute of Standards and Technology (NIST) for their cyber risk assessment report. While the metrics and frameworks may vary among the insurance providers, they’re all looking for similar fundamentals: solid, proactive cybersecurity risk controls.

Among other cyber insurance requirements, cyber insurers look for common security controls, including:

What is Cyber Insurance and Why Do You Need it? (4)

Certain industries may have their own unique risk controls or may place higher importance on particular security measures.

The good news is, you can take straightforward steps to implement these risk controls, which in turn, could make your business more “insurable” and lower your cyber insurance costs. To help you meet cyber insurance requirements, I've summarized the best practices in our cyber insurance checklist:

What is Cyber Insurance and Why Do You Need it? (5)

When you apply for cyber insurance, you’ll want to be able to answer questions confidently. How do you know you’re ready? Download our sample Cyber Insurance Readiness Checklist—it guides you through the top questions most insurance companies ask when you apply for cyber insurance.

Cyber insurance for the long haul

If and when you’re issued a cyber insurance policy, congrats! It’s not an easy feat to obtain a policy during these tumultuous times for the cyber insurance market.

But don’t rest on your cyber laurels. Cyber insurance continues to evolve so don’t be surprised if your insurer makes changes to the coverage or premium when it’s time to renew. Providers may also expect you to provide updates and new data during the entire term. You’ll need to continue to show the same accountability and responsible practices that earned you the policy.

No matter if you’re looking at cyber insurance in the short term or down the road, you can take important steps right now to tighten up the cyber practices across your business. As you build your cyber insurance checklist, start by making privileged access the core of your cybersecurity strategy.

Cyber Insurance

As an expert in the field of cybersecurity and insurance, I bring a wealth of knowledge and experience to shed light on the evolving landscape of cyber insurance. My deep understanding of the subject is derived from extensive research, hands-on involvement in cybersecurity initiatives, and a continuous commitment to staying abreast of the latest industry trends and developments.

Now, let's delve into the key concepts presented in the article written by Joseph Carson:

  1. The Rise of Cyber Insurance:

    • The cyber insurance market is expected to reach $20.6 billion by 2025, up from $7 billion in 2020.
    • The surge in cyber insurance is a response to the significant increase in cyberattacks, with a 50% rise in 2021 compared to 2020.
    • The total cost of cybercrime is projected to reach $10.5 trillion annually by 2025.
  2. Ransomware Dominance:

    • Ransomware currently accounts for 75% of all cyber insurance claims, a substantial increase from 55% in 2016.
    • The persistence of ransomware threats is attributed, in part, to businesses' willingness to pay ransom demands.
  3. Impact on Cyber Insurance Strategy:

    • Insurers are responding to the growing risks by raising premiums and tightening cybersecurity requirements.
    • Businesses seeking cyber insurance must adhere to security best practices, including access control, multi-factor authentication, and the principle of least privilege.
  4. Understanding Cyber Insurance:

    • Cyber insurance is a policy designed to mitigate financial risks associated with cybersecurity incidents such as data breaches, ransomware attacks, and other cyber threats.
    • The coverage extends to expenses related to investigations, forensics, compliance fines, lawsuits, and extortion payments.
  5. Evolution of Cyber Insurance Products:

    • Traditional cyber insurance has evolved beyond being an add-on to standard business insurance.
    • Insurers now require coverage from providers with a deep understanding of cybersecurity, emphasizing the importance of tailored policies.
  6. Cyber Insurance Ecosystem:

    • The cyber insurance industry involves brokers, insurers, and re-insurers.
    • Re-insurers play a crucial role in providing support, cybersecurity expertise, and managing accumulation risk in the background.
  7. Types of Coverage:

    • Two major types of cyber insurance coverage are third-party liability and first-party coverage.
    • Coverage may specify incidents and damages, such as "ransomware insurance" or "data loss insurance."
  8. Changing Landscape and Rates:

    • Insurers are adapting to the evolving cyber risk landscape by making changes to the scope and limitations of coverage.
    • Increasing demand and significant losses are driving up cyber insurance premiums.
  9. Data Challenges and Cyber Engineering:

    • The cyber insurance sector lacks extensive actuarial data, requiring specialized models.
    • Insurers are forming dedicated "cyber engineering" teams, combining data science, cybersecurity expertise, and insurance underwriting skills.
  10. Preparing for Cyber Insurance:

    • Businesses applying for cyber insurance should expect in-depth questions regarding security controls and risk management practices.
    • Cyber insurers evaluate risk using various models and metrics, emphasizing fundamental cybersecurity controls.

In conclusion, staying informed about the evolving dynamics of the cyber insurance market and implementing robust cybersecurity measures are crucial for businesses to navigate the changing landscape and obtain effective coverage.

What is Cyber Insurance and Why Do You Need it? (2024)

FAQs

What is Cyber Insurance and Why Do You Need it? ›

An essential part of cyber risk management, cyber insurance helps businesses respond and recover from the financial costs of a cyber event, including loss from operational disruption, remediation and recovery expenses, legal fees, reputational harm, regulatory fines and more.

What is cyber insurance and why do you need it? ›

A cyber insurance policy helps an organization pay for any financial losses they may incur in the event of a cyberattack or data breach. It also helps them cover any costs related to the remediation process, such as paying for the investigation, crisis communication, legal services, and refunds to customers.

What is the need for cyber liability insurance? ›

Cyber Liability insurance* is designed to help protect you from claims and support your profitability in the event of a cyber breach or attack. Costs associated with defending a cyber claim are also covered.

What are the benefits of cyber security insurance? ›

Why is cybersecurity important for the insurance industry? Cybersecurity is paramount for the insurance industry because it deals with vast amounts of sensitive personal and financial data. Ensuring this data is secure not only builds trust with clients but also prevents potential financial losses from data breaches.

What do I need to get cyber insurance? ›

To qualify for cyber insurance, businesses must undergo security awareness training and testing. This ensures employees are up-to-date on security threats and procedures, businesses can help reduce their risk of becoming a victim of a cyber attack.

What is cyber insurance insurance? ›

Cyber insurance can help offset: Legal fees. Cost of restoring personal identities of affected customers. Cost of recovering compromised data (such as a case involving ransomware) Overall cost of repairing any damage to compromised computer systems.

Who does cyber insurance protect? ›

Cyber insurance generally covers your business' liability for a data breach involving sensitive customer information, such as Social Security numbers, credit card numbers, account numbers, driver's license numbers and health records.

What does cyber insurance not cover? ›

Loss of value through intellectual property (IP) theft

Often, they won't recognize IP theft until long after an incident (for example, when a competitor takes a new product to market). Nevertheless, devaluation due to IP theft is a loss most cyber policies don't cover.

What type of companies need cyber insurance? ›

Businesses that sell their products online need cyber coverage. This coverage protects sellers from claims arising from cyber and data liability as well as provides an important support system if you experience a security breach.

What type of liability will cyber insurance cover? ›

Cyber liability insurance is recommended for larger businesses. It helps cover financial losses due to cyberattacks or other tech-related risks, as well as privacy investigations or lawsuits following an attack.

Is cyber insurance enough? ›

If you're a business owner, that's the kind of money that should prompt you to wonder whether your cybersecurity insurance coverage is adequate or not. A recent Forrester report found less than 20% of companies have enough coverage to cover the cost of that median $600,000 ransomware demand amount.

What costs does cyber insurance cover? ›

Breach of contract and negligence fines. Losses due to phishing or transfer fraud. Regulatory compliance penalties and fines. Legal costs (including defense and settlements costs)

Is cyber protection insurance worth it? ›

Cyber insurance protects against losses that result from a range of cyber incidents, including social engineering scams and ransomware attacks. But is it worth the investment? It's a resounding 'yes'.

What are the effects of not having cyber insurance? ›

Lost business (missed sales due to system downtime and cancelled contracts) Financial redirection (threat actor funnels money to their own account) Incident response (investigating, containing, and eliminating the cyber threat) Lawsuits (class-actions stemming from compromised customer data)

Top Articles
Latest Posts
Article information

Author: Fr. Dewey Fisher

Last Updated:

Views: 6107

Rating: 4.1 / 5 (62 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Fr. Dewey Fisher

Birthday: 1993-03-26

Address: 917 Hyun Views, Rogahnmouth, KY 91013-8827

Phone: +5938540192553

Job: Administration Developer

Hobby: Embroidery, Horseback riding, Juggling, Urban exploration, Skiing, Cycling, Handball

Introduction: My name is Fr. Dewey Fisher, I am a powerful, open, faithful, combative, spotless, faithful, fair person who loves writing and wants to share my knowledge and understanding with you.