When your cyber insurance coverage comes up for renewal this year, you can plan on a couple of new factors:
- Your premium will be significantly higher.
- Your insurance company will ask a lot more tough questions about your cybersecurity policies.
The new demands from insurance companies have gotten so rigorous that Pratum has had more than one client call to say, “They’re telling us that if we don’t implement some new cybersecurity policies ASAP, we’ll lose our cyber insurance coverage.”
Clearly, the cyber insurance market is navigating uncertain times. A 2021 AM Best report flatly stated that, “prospects for the U.S. cyber insurance market are grim.” In this blog, we’ll help you make sense of the factors driving changes in your policy and pricing right now. (If you’re just getting started with cyber insurance, read this blog to learn the basics of cyber policies.)
Somebody Has to Pay All Those Ransoms
If a run of forest fires torches your area, you expect your homeowners’ insurance to spike in the coming years. Cyber insurance is no different. It’s a fairly recent insurance product, with only a few years of claims to guide insurance companies as they underwrite policies, set premiums and establish their profit expectations. In such a young market, many insurance companies were fairly lax on their underwriting procedures, echoing the days of easy mortgages before the 2008 financial crisis. Throw in constantly changing threats and security plans, and you have all the dry ingredients required to blow a volatile industry sky high.
In the last year, ransomware has been the match tossed into the cyber insurance tinderbox. Ransomware attacks jumped 151% in the first half of 2021, and ransom payments have quintupled from an average of $43,600 in 2019 to more than $220,000 this year.
Hackers Learn to Leverage Cyber Insurance
Hackers have learned how to operate in a world where more victims have cyber insurance. When hackers breach a system, they often run a search for cyber insurance policies, just to find out what kind of budget they’re working with. If a victim balks at paying a ransom demand, the hackers are known to screen shot the victim’s own cyber insurance policy and send it over with a note saying, “Don’t lie about how much you can pay us. We’re looking at your policy’s provisions right now.”
What It Means for Insurance Companies
Charts of cyber insurance claims over the last year look like hockey sticks, which means some insurance companies are losing money on their cyber insurance lines as premiums fall behind what they’re paying out in claims. Articles from within the insurance industry are using phrases like “spiraling loss costs” and “existential threat.” A recent report from Howden states, “The cyber insurance market is undergoing one of its most transformative changes since the first cyber policy was underwritten some 20 years ago.”
Earlier in 2021, seven major cyber insurance companies banded together to form CyberAcuView, “a collective effort to enhance cyber-risk mitigation efforts.” In short, the companies will be sharing claim data to make their businesses more accurate and sustainable. Will this teaming up of major players do anything good for customers? Time will tell.
Some industry watchers argue that all this represents a healthy clean-up for the industry. They’re hoping that the trials of 2021’s ransomware surge will mold a new breed of insurance company that uses more accurate underwriting, provides healthy coaching to clients and uses a combination of carrots and sticks to get clients to use better risk mitigation strategies.
10 Most Common Information Security Risks
What It Means for You
As insurance companies work to stave off this seeming existential threat, expect two developments:
- Higher Rates – Cyber insurance rates are averaging a 32% increase this year, with some customers seeing quotes 50% higher than a year earlier.
- Tougher Underwriting – We’re all used to getting better rates on health insurance or car insurance if we quit smoking or drive more safely. In today’s cyber insurance market, the issue isn’t just whether you’ll get a better rate. It’s whether any company will even be willing to insure you without the right cyber safeguards in place.
Many insurance companies are requiring steps such as implementing multifactor authentication before they’ll renew policies or grant new ones. And unlike in the old days of a year ago, the insurance company may not take your word for it when you say you’re doing all the right things. The insurance company may hire a third-party assessor to confirm you have the right tools in place, or it may ask to run a scan of your system for proof.
Start Your Cybersecurity Plan Now
While you may find all this heavy-handed, we have to point out that the insurance companies are really just requiring what a wise organization would be doing anyway. In a world overrun with cyber threats, you’re needlessly gambling your job and your company’s future if you ignore basic cyber hygiene steps such as implementing MFA, regularly patching software, etc. And if your insurance company isn’t the one pushing you to take these steps, your industry partners and clients probably will be soon.
If you need help getting started on a set of cybersecurity policies that boost your insurance prospects along with your overall peace of mind, contact Pratum today.