Cyber insurance is expensive and insurers are placing greater demands on organisations looking for cover. Is it worth your while?
Nearly a third (29%) of organisations have seen an increase in the cost of cyber insurance in the past year, according to research by Databarracks. And two-fifths say they have seen tougher requirements from insurers.
The price hike is partly due to an increase in attacks, but also because insurers themselves are still getting to grips with this market, says James Watts, managing director at Databarracks.
"Insurers haven't had decades of actuarial data to use as a baseline for insurance costs as they do with other risks," he explains. "In ransomware attacks, for instance, paying the ransom seemed like the lower-cost option compared to recovering from back-ups. However, longer term it turned out to be much more expensive. What we're seeing now is the result of that cycle over years, and insurers demanding greater preparedness and prioritising recovery from back-ups over payouts."
Research by Panaseer suggests that 82% of cyber insurers expect to raise their premiums over the next two years.
"Higher premiums are also being driven by traditional risk transfer practices," says Jamie Akhtar, co-founder and CEO at CyberSmart. "Standalone cyber insurance – without protection or monitoring – is fast becoming obsolete in the wake of mounting threats."
Higher demands
Insurers' requirements may include the deployment of tools such as multi-factor authentication (MFA) and endpoint detection and response (EDR). But processes matter too.
"Generally speaking, insurers are looking for evidence of commitment to training, regular back-ups, and good cyber hygiene," says Watts. "We would recommend using a recognised risk management standard, or cyber security certification such as ISO27001 and Cyber Essentials or Cyber Essentials Plus."
It's important, though, not to get too narrowly focused on infosecurity solutions and certifications. Your cyber risk is part of your organisation's overall risk profile.
"Some insurers are beginning to look at a more holistic approach to risk transfer, combining risk assessments with ongoing monitoring of technical considerations and processes," says Akhtar.
Too much?
These increased requirements are placing a major burden on organisations, especially smaller ones. If it's too expensive and too difficult, some firms might turn away from insurance altogether.
"UK government data shows that only 50% of small businesses have any kind of cyber insurance, with just 10% having a specific policy," says Akhtar. "And, what's more, most of that 10% are concentrated in the finance and insurance sectors – typically heavily regulated and risk-averse industries. "
But that that doesn't mean uninsured firms are just going to accept the risk, says Martin Jartelius, CSO at Outpost24. There are other options.
"They will go for the most cost-efficient way to reduce the risk," he says. "For a small organisation, getting good off-site back-ups separated from their operations environments is bound to be easier, cheaper and faster than insurance."
Falling short
Perhaps a greater danger is to spend effort and money on cyber insurance only to discover, when the worst happens, that you missed something critical and the policy doesn't cover you in the way you think it does.
"Most organisations that take out insurance don't understand well enough what the limitations of their insurance are," says Jelle Wieringa, a security awareness advocate at KnowBe4. "Thus, when there is a successful cyber attack, and they reach out to their insurance company with a claim, they are often disappointed."
Organisations need to understand the limitations of their insurance policies, and this is a company-wide process.
"Most organisations have their legal department sign off on the insurance policies," says Wieringa. "But they might not have all of the experience and knowledge needed to assess if it covers everything your organisation needs. Include IT, HR, security and senior management directly. Everyone needs to understand what is at stake."
Text by: Steve Mansfield-Devine