Insights

Frequent Cyber Attacks Are Impacting the Cyber Insurance Markets

According to Andres Franzetti, Co-founder and CEO of Risk Cooperative, “A couple of years ago, cyber used to be about large scale data breaches around PII and PHI. What we’re seeing now is that the drivers of loss have shifted to business interruption and shutting down organizations around ransomware – and the costs have gone up.” Statistics from Allianz Insurance cyber claims data indicate that the average cost of cyber crime has increased 70% even as the number of cyber incidents has been going up year over year, and business interruption losses account for the majority of claims.

These factors are impacting the market’s profitability as underwriters struggle to price risk accurately. Even as firms increasingly turn to cyber insurance for protection, the rate of claims has resulted in insufficient premiums to cover losses. To counter this dynamic, insurers are raising rates, limiting coverage, excluding certain risks, and exiting high risk and non-profitable markets. Without robust cybersecurity policies in place, firms are no longer able to apply for cyber insurance.

Effective, Resilient IT Infrastructure Is Table Stakes

Effective cybersecurity is the only way to effectively protect your company and its data. Yet, Steve warns, “You have to assume your cybersecurity is going to fail because, at the end of the day, there are thousands of hackers.” There is no silver bullet among the vast array of firms offering cyber protection.

The risk of an attacker breaching your cyber defenses requires strategies for business continuity and disaster recovery involving the integration of technology, policies, procedures, controls, processes, systems, management, and culture. With cyber insurance exclusions expanding, to truly be safe, you need an IT team that can whittle the huge number of potential threats down to the most existential ones, and then respond in real time. Staying ahead of hackers requires multidisciplinary cybersecurity expertise integrated and aligned with your enterprise-wide IT management strategy.

Strategies for Building Cyber Resilience

Yet, an organization will have difficulty achieving resilience without a clear understanding of their assets, which often include data that could be more valuable to the business operations than physical equipment. Andres reveals, “For us, resiliency is about operational continuity, and insurance helps to facilitate that, but it’s about analyzing your assets and what’s at risk in a cyber attack.” Understanding the hidden costs of a breach, like operational disruption and lost reputation, intellectual property and business relationships will help to ensure proper insurance limits and cybersecurity investments.

In the simplest terms, cyber insurance provides coverage to transfer and mitigate financial costs incurred because of a cyber incident as well as provide critical breach response resources during a cyber event. There are a range of cyber policies available, but not all policies provide equal coverage. Stand alone cyber policies, in contrast to bundled programs, provide robust breach response resources and coverage for a variety of potential loss scenarios.

Because cyber risk overlaps many business areas, and the frequency and cost of claims is rising, insurance carriers are excluding some types of exposures. Notably, the failure to maintain minimum security standards on traditional IT, portable devices and 3rd party security can lead to claims being denied. On the other hand, working with underwriter-approved Managed Security Service Providers (MSSP’s) can lead to lower premiums and more robust coverages. Securing cyber insurance creates access to more than just financial risk transfer, these policies often provide a range of proactive and risk mitigation services such as training, workshops, and assessments.

Conclusion

“Every organization, regardless of size, needs to look at cyber as a strategic business risk. Everyone is potentially vulnerable,” says Andres. With the growing climate of ransomware attacks and other cybersecurity incidents, now is the time to look into your organization and ask, are we properly prepared?