The World Economic Forum recently published its Global Risk Report for 2023, noting that cyber insecurity will be one of the top 10 risks facing governments and organizations in the next 10 years. Insurance providers are responding to the growing threat landscape and the rising cost of cybercrimes by setting new standards in cyber insurance.
Insurance providers have always calculated probabilities. When the Russian-Ukraine war broke, for example, insurance companies started refusing to cover Ukrainian businesses after doing the math. Insurers understood that the likelihood of Ukrainian entities being attacked by Russian nation-state actors and state backed civilian groups was so high that cyber insurance for Ukrainian companies would not be profitable.
A similar situation is now happening with cyber insurance and causing a reform in the industry. Insurers are fast realizing that in today’s threat landscape, no matter how much a company fortifies itself, it still has a chance of getting hit. Moreover, insurance companies are also faced with the difficulty of assessing the impact security tools and services have on improving cybersecurity. While companies may invest heavily in their security, this investment may not result in effective reduction of cyber risk, and insurers rightly lack the confidence that their clients’ investment will prevent them from getting attacked.
Moreover, President Biden’s new cybersecurity strategy, which holds companies directly responsible for the user information in their domains and premises, adds another security concern for companies and insurers alike. This new strategy shifts liability over cybersecurity to companies and requires that they shoulder the burden of securing users’ private information. Companies that fail to do this and remain vulnerable to attacks may find themselves dealing with civilian lawsuits for compromised user information originating from their databases.
Insurance providers are responding to these shifts and the growing risks their clients face by taking various measures to protect themselves against reoccurring payouts.
In August of 2022, for example, Lloyd’s of London announced they will no longer insure companies against nation-state attacks. This comes on the heels of major attacks, which tipped the scales of profitability for insurance companies. It made insurers aware of the cost of such breaches, and it made them aware of the probability of reoccurring attacks on the same organizations after being breached once by state actors.
Organizations up for insurance renewal and those applying for cyber insurance for the first time may be in for a rude awakening when they discover the new norm in cyber insurance. Here are the top three considerations companies should discuss internally before relying on cyber insurance:
1. “Insurance as security” may not be a feasible option
The tightening of the terms and conditions for cyber coverage means that some companies will no longer be eligible for cyber insurance, while others will be priced out.
We can expect the trend that started with Lloyd’s of London to continue and spread, as insurers continue to eliminate certain attacks from their offerings. This means that even companies that meet the new coverage requirements and manage to get past the new underwriting standards could still face problems if certain cyberattacks are not covered in policies. As a result, organizations will be forced to invest in their security measures and practices instead of relying solely on insurance policies to cover their attack costs.
2. Insurers’ new requirements will mean an added investment in security
Companies that still intend to invest in cyber insurance will likely need to invest more in security to reach the cyber maturity level that will become a prerequisite for insurance coverage. We can expect cyber audits and cyber maturity assessments to become mandatory and stipulated in the terms and conditions of new cyber policies.
But investment in improving security will not be the only financial strain companies should expect. Another step insurers will take that will have financial implications is increasing premium prices. The sharp rise in insurance costs will likely price out many small and medium businesses.
3. Companies will need to adjust their security budgets to these new demands
For some organizations, the increased costs will mean asking for bigger budgets. For others, it will mean reprioritizing their existing budgets. Insurers’ new security posture requirements put the burden of proof on the customer, thereby adding a new line item to the security budgets of organizations seeking cyber coverage.
How companies can prepare for insurers’ new requirements
This reality is already underway, and companies are responding by stepping up their game and establishing new standards of cybersecurity. They are doing this by:
- Investing in robust security plans that are both proactive and reactive
- Developing security protocols that will mitigate, patch, and manage breaches when they happen.
- Taking defensive measures to anticipate attacks and reduce risk.
- Renegotiating security budgets or redistributing existing resources to improve cybersecurity.
Bottom line? Improved cybersecurity is proving to be a necessity either as a prerequisite for cyber insurance, or as a way for companies that don’t intend to rely on insurance anymore to handle their risk.
Learn more about how CYE can improve cybersecurity for overall risk reduction and for insurance eligibility. Contact us today.