Companies are finding it harder to get cyber insurance
Luke MacGregor | Bloomberg | Getty Images
Among the many consequences of the rising number of costly data breaches, ransomware, and other security attacks are pricier premiums for cyber security insurance.
The rise in costs could put many organizations out of the running for this essential coverage, a risky proposition given the current threat landscape.
Cyber insurance is a type of specialty insurance that protects organizations against a variety of risks related to information security attacks such as ransomware and data breaches. Ordinarily, these types of risks aren’t included with traditional commercial general liability policies or are not specifically defined in these insurance plans.
Given the rise in attacks, the growing sophistication of these incidents and the potential financial impact, having cyber insurance coverage has become critical for many organizations. Premiums for these plans have been on the rise because of the increase in security-related losses and rising demand for coverage.
Cyber insurance premiums increased by an average of 28% in the first quarter of 2022 compared with the fourth quarter of 2021, according to the Council of Insurance Agents & Brokers (CIAB), an association for commercial insurance and employee benefits intermediaries.
Among the primary drivers for the continued price increases were a reduced carrier appetite for the risk and high demand for coverage, CIAB said. The high demand for cyber coverage is in part fueled by greater awareness among companies of the threat cyber risk poses for businesses of all sizes, it said.
In addition to premium price increases, underwriters are attempting to mitigate the losses from cyber claims with much stricter underwriting requirements, including making cyber security protocols such as multi-factor authentication mandatory.
The availability and affordability of cyber insurance can vary by industry and business size, said Dan Garcia-Diaz, managing director of the U.S. Government Accounting Office (GAO). “For example, [a] small business may have more difficulty purchasing cyber insurance,” he said.
In a report earlier this year, GAO noted that the extent to which cyber insurance will continue to be generally available and affordable remains uncertain. The agency reported that some carriers had started limiting the coverage they offer to certain critical infrastructure sectors, which might make it more difficult for these sectors to acquire cyber insurance.
“For example, one insurer reported that it opted not to insure the energy sector because of its vulnerability to attacks and because of concerns that energy operators do not follow robust cyber security protocols,” Garcia-Diaz said. “Another insurer stated that its appetite to provide coverage to certain industries — including electric grid operators and airlines — is limited.”
The GAO report said that while more companies might be looking for insurance against attacks “stability in premium rates and access to policies are changing. Large-scale attacks — such as last year’s Colonial Pipeline ransomware attack, which led to short-lived gasoline shortages in the Southeastern U.S. — have highlighted the potential for catastrophic financial damages. As a result, insurers are starting to take steps to limit their exposure to these losses.”
The study said the cost of cyber insurance is based in part on the frequency, severity, and cost of cyber attacks, “all of which have been increasing. The uncertainty about future threats also plays a role, and insurers have become more selective about who and what gets covered.”
Insurers have also tightened policy terms and conditions to reduce unexpected losses from attacks, GAO said. Traditionally, commercial property and casualty policies could include limited cyber coverage, according to the report. “But now, carriers are becoming less likely to include it, and are instead offering cyber coverage separately. For policyholders, these changes translate into fewer coverage options, stricter standards, and more exclusions.”
While rising costs and other limitations can make cyber coverage more difficult for organizations to afford, “uptake percentages continue to rise,” said Rob Norris, principal analyst, property and casualty insurance, at Celent, a global research and advisory firm focused on technology for financial institutions.
“In other words, despite premium increase, many organizations believe they cannot afford not to be covered for cyber risk,” Norris said.
If rates continue to climb and insurers offer more limited coverage, however, cyber insurance might become more and more difficult for many companies to afford or obtain. Insurers are also getting more demanding in terms of how they want their clients to defend themselves.
“Organizations are facing increased scrutiny by cyber insurers during the underwriting process,” Norris said. “Companies that do not have basic cyber hygiene controls — things like multi-factor authentication, automatic software updates, and regular employee training — will face declinations by cyber insurers.”
Rising premiums, driven by expected increased losses, and greater overall demand for cyber insurance is putting a strain on insurance capacity, Norris said, making it harder to find coverage. That’s true even for organizations with strong cyber security risk management plans, he said.
The repercussions could be significant for organizations that go without insurance.
“It’s possible that attacked entities — which could include critical services such as hospitals, financial services, and energy services — would suffer such large losses as to not be able to continue operating without cyber insurance,” Garcia-Diaz said
Lack of cyber insurance could also have broader impacts. For example, a catastrophic cyber attack against a critical infrastructure entity could have an enormous financial effect on multiple organizations, he says.
Organizations that decide they cannot afford cyber insurance “will be living with a potentially existential threat to their balance sheet,” Norris said. “Also, companies that go bare on cyber liability may see an impact on revenue, as customers and suppliers increasingly make cyber coverage a requirement of doing business.”