The Cyber Insurance Market Comes into Its Own
Over the past five years, the cyber insurance market has undergone significant maturation. Enhanced by a robust data repository and accumulated experience, insurers now possess a more precise framework for risk assessment and pricing. This has led to moderation in cyber insurance premiums despite an increase in claims frequency and severity in the first half of 2023 across businesses of every size.
The ever-evolving nature of the cyber landscape mandates continuous recalibration by insurers. Rigorous underwriting persists, with insurers prioritizing advanced cyber hygiene. Coverage terms, therefore, directly correlate with an organization’s readiness. For context, while claims and ransomware incidents declined in 2022, 2023 saw a resurgence. The U.S. experienced a 75% uptick in ransomware events within the first half of the year alone, as reported by Malwarebytes Inc.
Within the cyberthreat landscape, industries including financial services, professional services providers, technology services and software, and manufacturing find themselves particularly vulnerable. These sectors, along with associated supply chain entities, are exposed to high or extremely high cyberrisk levels (Figure 4). Leveraging specialized solutions offered by insurance brokers and carriers has emerged as a critical strategy for these organizations, enabling them to manage and mitigate the inherent cyberrisks more effectively.
The path ahead for the cyber insurance market is not without its challenges. External pressures such as looming inflation and the tightening of client resources could present significant hurdles. Even more concerning is a potential recession. Should this economic downturn materialize, it may constrain the ability of many companies to invest in cybersecurity due to restricted capital and limited availability of specialized talent.
In this report, we will explore the multifaceted dimensions of risk, claims, and pricing trends within the cyber insurance industry. We will illuminate the legal and regulatory landscapes that are poised to influence the future of cyberrisk management and highlight innovative strategies that are enabling businesses to strengthen their cyber defenses and reduce the potential financial impact of cyber incidents.
CYBER CLAIMS TRENDS AND COSTS
The global average cost of a data breach reached $4.45 million in 2023, a 2.3% increase from 2022 and 15.3% from 2020, according to IBM’s Cost of a Data Breach 2023 report. Both data at rest and data exchange are at risk, so organizations must have a multipronged strategy for protecting data repositories and cyber interfaces, which involves any process that relies on transmission over the internet.
Increasingly, hackers are using fileless attack software, meaning they don’t need to install malware on target systems. These attacks often begin with calls to an organization’s help desk to gain crucial data on the network. This is followed by a fraudulent call or emailed link to gain login and multifactor authentication details. Once the hacker is inside, it poses as the authorized user to set up all the accounts and code it needs to accomplish its goals—no malware needed. In fact, 71% of cybercrime detection identified malware-free activity, according to CrowdStrike.
Attacks on cloud-based interfaces also are increasing, with The Reality of SMB Cloud Security in 2022 report by Sophos indicating 56% of survey respondents had an increase in the number of attacks, 59% saw an increase in the complexity of attacks, and 53% said the impact of attacks on their cloud presence grew.
Of special note: small to midsize businesses comprised 98% of cyber claims from 2018 through 2022, according to NetDiligence’s Cyber Claims Study 2023, with an average cost per incident of $865,000 in 2022. Ransomware is the biggest threat, rising from $514,000 in SMB claims in 2021 to $555,000 in 2022, according to the study. Business interruption is one of the greatest problems resulting from a cyberattack for SMBs, with losses from such interruptions averaging $370,000 in the 2018-2022 time frame.
The top five causes of loss for SMBs, according to NetDiligence, are ransomware, business email compromise, hacking, theft of money, and staff mistakes. These are areas companies should be targeting with special attention since insurance companies are becoming more demanding when it comes to demonstrating cyber risk management.
RISK MITIGATION HELPS WITH PREMIUMS & COVERAGE TERMS
Insurers are insisting on robust cyber risk management before they agree to insure businesses. Companies with solid cyber protocols and no history of loss are the most attractive to insurers, but even with prior claims, businesses that can show they’ve made corrections are able to get coverage—and some on good terms.
Resource misconfigurations and unpatched weaknesses are the main problems for cloud-based cyberrisk, according to the Sophos report. The report further points out that it’s crucial to have visibility across all organizational resources and configurations to quickly identify problems and take action. This is an area where the vast majority of cloud users are weak. It requires 24/7 monitoring, for which many organizations don’t have the resources, as well as 24/7 immediate response capability.
We also have seen an uptick in lawsuits alleging privacy law violations and, in particular, pixel tracking technology. With states and national governments legislating data privacy regulations, the door for cyber-related directors and officers complaints is wide open as are regulatory investigations and shareholder derivative suits if stock value is impacted by a cyber failure.
As a result of these exposures, businesses are facing a more demanding underwriting process that includes thorough examination of a company’s security controls, internal processes, and procedures concerning cyberrisk. Underwriters are using third-party scanning technologies to help detect cyber weaknesses in clients seeking coverage.
Some insurers are including endorsements that exclude coverage for, or apply co-insurance to, specific problems identified in the underwriting review process. There may even be a review of an applicant’s partners’ cyber hygiene if those firms’ systems are deemed a potential source of vulnerability.
As insurers seek to refine cybersecurity controls, the top twelve they look for currently, according to LMG Security, are:
- Advanced multifactor authentication (MFA)
- Extended detection and response (XDR)
- On-demand cybersecurity awareness training
- Identity and access management (IAM)
- Effective patch management
- Attack surface monitoring
- Cloud configuration management
- Continuous security monitoring
- Incident response testing and training
- Next-generation backups
- Data discovery and mapping
- Qualified security leadership
To get a bird’s-eye view on a business’s broad cyberrisk, it may be helpful to use a methodology employed by ratings company Moody’s. The firm assesses cyberrisk based on:
- The industry sector’s systemic role—is it part of critical infrastructure?
- Digitization—is it wholly connected to and reliant upon the internet?
- Perimeter vulnerability—which includes at-risk open portals to company data and patching cadences
- The company’s basic cyber hygiene practices
- The estimated financial impact of a cyber incident—does the company have the resources to recover quickly and sustainably?
These criteria may influence the pricing of policies and attractiveness of companies to cyber insurers.
ON THE HORIZON
Artificial intelligence (AI) poses new cyberrisks for businesses. ChatGPT and other AI programs are projected to make phishing and other access scams more believable as they reduce grammatical errors and increase “familiar” speech patterns. With phishing the most common form of hacker initial access, protecting against human vulnerability to such scams is expected to become more difficult. Generative AI may be able to create believable voice calls as well.
AI also allows hackers to rapidly find and exploit gaps in legacy software applications and coding. In response to the vulnerabilities AI presents, the White House on October 30 promulgated guidance through an executive order that is intended to establish standards for the development, security-testing, and transparency in use of AI.
Credit tightening is expected to continue, which may mean curtailed resources for fighting cyber crime. On the flip side of that coin, carriers likely will continue demanding robust cyber defenses in order to provide preferential terms and pricing on cyberrisk policies.
Cyber insurance is expected to play an important role in lender and M&A transactions because financial partners increasingly are wary of the costs of cyberrisk. Those with better cyberrisk protocols—including insurance, which will serve as a testament to good cyberrisk management—are likely to be seen as safer bets.
Additionally, in October, the Federal Trade Commission approved reporting rules that mandate “non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders,” to report data breaches and other cybersecurity incidents to the FTC within 30 days after discovery if the event affects at least 500 consumers. The rule will become effective in spring 2024.
One of the issues businesses will have to be wary of with this compressed timeline from discovery to communication with the FTC is overreporting, which could lead to reputational damage and possibly unnecessary notification expenses, or underreporting, which could lead to penalties. Carriers often offer benefits with their policies, such as hotlines, breach response services, and legal consultations. Policyholders would be wise to ask about such ancillary perks associated with their coverage.
Regulatory pressure on boards of directors and C-suite executives will continue to build in the cyber realm, while investors and employees demand greater cyberrisk diligence in protecting their relevant data, such as personnel files, benefits, data, and banking information. Successful loss claims from all of these groups can be expected if cyberrisk management failures can be proven.
Possibly, New York’s new cybersecurity strategy best articulates what clients should practice to have best-in-class cyber protocols: unification, resilience and preparedness. Unification means having a unified approach across the organization so all prevention and response is coordinated. Resilience means being able to withstand and recover from an attack in both the short term and long term. And preparedness means dedicating the resources ahead of time to harden vulnerable areas, spot anomalous activity, and have resources at the ready to respond.
Companies that can demonstrate practices supporting these three principles will significantly reduce their likelihood of a serious breach and will position themselves well to obtain good financial protection through insurance.
We also are keeping an eye on the insurtech and parametric space, as some of the offerings developing there may be good substitutes or complements to traditional policies. Parametric insurance, for example, can provide immediate payment to be used to close cybercrime portals, restore data access, or manage public relations while a broader insurance claim is processed.
With a massive influx in cyberrisk insurance submissions, insurers’ time and attention is strained. With IOA’s established relationships with carriers, we are able to get our clients the attention they need from busy underwriters. Our expertise also can help clients prepare their cyber defense and show insurers that our clients are serious about risk management and worthy of good pricing and good terms.
