How well positioned is your organization to get and maintain cybersecurity insurance?  That’s the question facing many organizational leaders as cybersecurity threats continue to rise and the cybersecurity insurance market continues to adapt.  The prospect of securing – and even renewing existing – cybersecurity insurance coverage is becoming problematic, especially for small-to-medium businesses that sit at the difficult intersection of rising premiums, growing underwriting criteria, and increasing security threats.

Understanding Cybersecurity Insurance

Cybersecurity insurance is a risk management method companies use to transfer a portion of the financial risk from cyber-related attacks to another party (the insurer). Cybersecurity insurance only occupies around 1% of the overall US property and casualty insurance space, but it is the fastest-growing segment by far, with 2022 premiums growing 50% year-over-year to over $7.2B.

For organizations of all sizes, cybersecurity insurance is critically important for three reasons:

  1. Cyber-related attacks are very costly.  When a cybersecurity incident occurs, organizations can quickly grind to a halt: mission-critical data is no longer available, technology assets are inaccessible, and business processes are either halted altogether or reverted to manual activities.  The disruptions can equate to sizable losses in revenue and profitability even before accounting for ransom demands, remediation costs, fines, legal fees, loss of reputation, and other liabilities.  For example, the average cost for a data breach is estimated to exceed $4.4M.
  2. The threats and impacts are rising rapidly.  Cyberattacks increased 38% year-over-year in 2022, resulting in a combined cost of $8 trillion.  What is fueling the rise in attacks?  Among many factors, contributors include new forms of malware / ransomware; an increasing remote workforce; data breaches that offer additional social engineering attack vectors; the growing adoption of digital currencies; gaps in technology asset protections; the increasing use of artificial intelligence technologies; and overall enterprise IT trends toward cloud-based technologies.
  3. Customers and partners are requiring cybersecurity insurance.  For many organizations, coverage is no longer optional.  To effectively manage liability and continuity of operations, many organizations are contractually mandating insurance coverage from their vendors and business partners.

The rising risks in cybersecurity represent a material impact to financial markets, and the SEC’s recent decision to implement mandatory public reporting of cybersecurity incidents is placing renewed pressure on organizational leaders to ensure their cybersecurity programs are robust.  But the challenges are particularly daunting for small-to-medium businesses (SMBs).

Though growing rapidly, only around 20% of SMBs currently have cyber-related insurance.  And these organizations are exceptionally vulnerable to cyber-attack: a startling 99% of all cyber-insurance claims come from SMBs.  Over the past 3 years, the volume of claims for these organizations have doubled, and the payouts have nearly tripled.  The average claim for an SMB is $345k and for ransomware $485k.

Insurers Respond

Following multiple years of rising incidents and claims activity, insurers have experienced a 12% increase in claims in the first half of 2023, including a 27% increase in ransomware claims.  Not surprisingly, insurers are responding to these risks by more aggressively managing their exposure.  Tactics include:

  • conducting more lengthy risk assessment and underwriting processes
  • increasing rates
  • limiting covered expenses
  • establishing explicit security program requirements
  • stipulating exclusions that void coverage
  • dropping coverage for ransomware and state-sponsored attacks.

Applicants of both new and renewal policies have probably noticed that the security questionnaires are growing in length and depth. Insurance companies are moving beyond the check-the-box underwriting approach to asking insightful questions that better characterize the security maturity of businesses before deciding to issue a policy.  As these cyber-related actuarial and underwriting processes are becoming more sophisticated, more companies that need cyber insurance can’t get it; more than one in four SMBs are reporting being denied coverage altogether.

So what can improve your company’s chances of obtaining or maintaining cybersecurity insurance?

Planning for Coverage

It’s important to get advice from a security expert who can zero in on your company’s specific vulnerabilities that insurance underwriters prioritize.  Cybersecurity experts can help assess the business and technology areas that underwriters use when determining a company’s insurability, including issues such as:

  1. How well does your company leverage access policies and technical controls? Effective access controls can mitigate the risk of an attacker successfully compromising a user’s account and escalating privileges to access the company’s most sensitive data. Privileged user accounts are big targets and require added protections.
  2. How consistently and comprehensively does your company conduct risk assessments, penetration tests, and vulnerability scans?  These tests simulate a real attacker using similar tools and techniques without causing any damage but can identify weaknesses in your security that you can remediate before exploited by an attacker.
  3. How well-developed is your company’s cybersecurity incident response plan? A cybersecurity incident is a stressful event and time is of the essence. Without an incident response plan that is documented and tested, companies will have to learn as they go.  This competency gap delays their ability to contain the attack and recover their operations, magnifying the attack’s financial and reputational losses.
  4. What training does your company regularly provide to employees on security awareness, including phishing tests?  People are the weakest link in security, so re-occurring training is essential.
  5. How robust are your company’s technical access controls such as multi-factor authentication (MFA) and single sign-on (SSO)?  These controls help to mitigate the risk of compromised user accounts.  Businesses that rely on passwords only for authentication are especially big targets because it is relatively easy to steal or trick a user into unknowingly handing over their login credentials.
  6. How consistently does your company continually monitor for cyber-attacks, and are alerts being reviewed and acted upon?  This is a two-part question because monitoring tools, such as SIEMs, MDRs, and XDRs are only effective if someone is investigating the security alarms and remediating the threat.

It is important to understand your company’s readiness on issues like these before applying for cybersecurity insurance.  Using an insurance application process to assess your security posture “for free” causes a lot of downstream problems.  If you are denied insurance one time, it may be harder to get approved in the future.  Also, insurers will often not give specific denial reasons or provide any detailed determination of your security strengths and weaknesses.  Cybersecurity experts are best equipped to help you prepare and improve your chances of getting your application approved.

If you are interested in learning more, CREO supports its clients with maturing their cybersecurity posture so they are better prepared to meet their business requirements including data asset protection, business resiliency, insurance, and regulatory compliance.