Cyber liability insurance is designed to cover organisations in the event of a cyberattack or data breach. With the FBI’s Internet Crime Compliant Center reporting a 62% increase in attacks in just the first six months of 2021, this is hardly surprising. Damages from cybercrime are expected to sit at around $6 trillion this year. In response, organisations are keen to get the necessary protection – and quickly.
It’s understandable, then, that they look towards cyber insurance as a way of covering themselves in the event of an attack. The concept of insurance is very familiar to business owners and board members, where cybersecurity can be seen as a little more complex.
But before your organisation entertains the idea of cyber insurance or, worse still, looks to rely on it, it’s worth considering its misconceptions and the challenges it presents.
If you’ve got cyber insurance – like any insurance – you can’t become complacent. When you take out a new car policy, it doesn’t give you a licence to drive on the wrong side of the road or at 100mph. You don’t relax in your car in the safe knowledge that if anything happens, you’re covered financially. The insurance is there in case you do have an accident.
The same applies for organisations with cyber insurance. It doesn’t give you a licence to stop caring about your organisation from a security perspective.
Getting your priorities right
For fast-growth companies that are just getting their cybersecurity approach together as they grow, cyber insurance can be seen as a way of bridging the gap, and it’s wise to always have this level of protection; it lessens the blow when an attack does occur.
But importantly, it should not be valued over a robust cybersecurity strategy. Ensuring your company isn’t reliant on cyber insurance is the first step, but ensuring your company has the mindset of security over insurance is equally important. You have to encourage awareness throughout the organisation of the value of cybersecurity.
The reality of cyber insurance
We’ve all been stung in the past with insurance policies that just so happen to not cover the one thing that does occur. That could be dropping your phone in water or filling your car with the wrong fuel. The same is true for cyber insurance – but the consequences are far greater than a car broken down on the forecourt.
While cyber insurance does cover for financial damages from a cyber attack, it won’t cover for reputational damages, or the fact that your data is out there and compromised. It doesn’t cover for loss of intellectual property or patented data like scientific research. Once that information is out there, they can’t get it back for you or provide compensation.
That’s why it’s so important to always see cyber insurance as a sweetener to the bitter pill you have to swallow when attacked and nothing more.
The darker side to cyber insurance
Unfortunately, cybercriminals have caught on with the insurance industry. If you’ve been attacked with ransomware especially and they know you have cyber insurance, they will demand the full amount. What’s more, there’s evidence that cybercriminals are purposely targeting organisations that have a policy in place, guaranteed a pay-out.
In this case, having cyber insurance is almost like putting a target on your back, and again, you’ll only be covered for the ransom – the reputational damage will not be salvable. This doesn’t mean the sector itself is terrible. In fact, it’s advised that you get it. In 2022 and onwards, cyber insurers are becoming a lot more savvy to the motives of criminals and are adjusting their policies as a result.
The future of cyber insurance
It’s becoming more and more apparent that cyber insurers carry out thorough due diligence, and they’re taking more of an active approach in directing customers to important cybersecurity measures to reduce premiums.
It’s obviously going to be in their best interest for your organisation to not get attacked, so they almost act like cybersecurity consultants. Now, more than ever, cyber insurers are conscious of the reality of cybercrime. Ransomware attacks have increased exponentially, and brokers have been seriously burnt. In 2022 and onwards, they will be looking to recoup some of the money they paid out and reduce risk where possible.
While that does mean they will be encouraging organisations to adopt better cybersecurity approaches, it also means premiums will skyrocket and become very hard to get.
We’ve already seen cyber insurers not even offering renewal quotes to large organisations because they know it’ll be really uncompetitive (as much as five or ten times their current price) or they don’t want to take on the risk. Most now refuse to insure for ransomware at all, with pay-outs now exceeding premiums. Businesses will have to up their investment in cybersecurity, tools and processes to prove to insurance providers they’re a worthwhile risk.
This could be viewed as a negative, but I’d argue it’s a step in the right direction. Cyber insurance is still crucial for most organisations with attacks having the potential to bankrupt them without it. If insurance providers increase the amount of cybersecurity processes necessary, it reduces the chance of attacks which also reduces the chance of the damages that are not covered by insurance policies.
The increase in premiums and the difficulty to get them just represents the hard reality of what the cyber landscape looks like at the moment. As attacks increase, premiums will have to increase, and organisations and governments will need to be doing more to defend against future attacks.