Why Are Cyber Insurance Premiums Increasing?

In today’s business world, it is almost impossible to conduct operations without relying on some sort of system. From simple tasks like scheduling appointments to complex operations like managing inventory, systems play a critical role in helping businesses run smoothly and efficiently. In recent years, the number of business systems that have come online has been increasing exponentially. As the number of systems and connected devices grows, so does a business’ attack surface.

An attack surface is the total number of vulnerabilities that can be exploited by attackers to gain access to a system. The more devices that are connected to a network, the greater the potential for vulnerabilities.

So, to round things up, increased system dependencies to conduct business, larger attack surfaces, and an increase in the frequency and severity of cyber-attacks have caused a sort of ‘Black Swan’ event for any business that finds themselves shopping for Cyber Insurance or coming up on renewal.

There are several reasons why cyber insurance premiums are increasing for companies. One of the main reasons is the increasing frequency and severity of cyber-attacks. As cyber-attacks become more common and more sophisticated, insurance companies are having to pay out more in claims, which is driving up premiums.

The main cyber-attack headline grabber has been, hands down, Ransomware. Most people would never guess this, but there were actually a larger number of ransomware attacks in 2016 than in 2021, but despite the lower overall number, the damages and payouts combined increased from 2016 to 2021 by a 20x factor.

Another reason for the increase in cyber insurance premiums is the growing complexity of the cyber risk landscape. As organizations become more reliant on technology and the internet, they are exposed to a wider range of cyber risks, such as data breaches, ransomware attacks, and network outages. The increased dependencies on business systems, and therefore lost productivity and profit erased from disruption of said systems, have to be underwritten into every business’ policy, which, in virtually all cases, is leading to higher premiums across the board.

If you were to survey 100 people with the question- “would you prefer not to have your personal information leaked accidentally by a company you purchase a product or service from” you’d likely get a 100% yes rate.

With the number of large data breaches, exfiltrations, and leaks of consumer data over the years, legislators have reacted with new, improved, and modernized business security recommendations and regulations across many industries.

These changes in regulatory environments are also playing a role in the increase in cyber insurance premiums. In many countries, there are new laws and regulations that require organizations to have cyber insurance in order to protect themselves and their customers from the consequences of cyber-attacks. This is increasing the demand for cyber insurance, which is also, in turn, driving up premiums.

The requirements for companies to get approved for cyber insurance vary depending on the insurance company and the type of coverage being sought. However, there are some common factors that insurance companies typically consider when evaluating cyber insurance applications.

One of the key requirements for companies to get approved for cyber insurance is to demonstrate that they have adequate security controls, policies, and tools in place. While the requirements vary by premium and business size, they generally fall into the following categories:

• Identity Access Management
• Network Security
• System & Host Security
• Vulnerability Management
• Privilege and Entitlement Management
• Event Logging
• End User Training
• Security Event and Incident Response

Insurance companies will often require companies to provide documentation and evidence of their security controls and policies and may also conduct on-site inspections to verify the effectiveness of those controls.

Another requirement for companies to get approved for cyber insurance is to have a robust incident response plan. This should include details about how the company will respond to a cyber-attack, including steps to contain the attack, recover from it, and prevent future attacks. Insurance companies will typically review and evaluate a company’s incident response plan to ensure that it is comprehensive and effective.

Additionally, companies may also be required to provide evidence of their compliance with relevant laws and regulations related to cybersecurity. This can include things like compliance with data protection laws and industry-specific regulations, such as HIPAA, for healthcare organizations.

Overall, the requirements for companies to get approved for cyber insurance can vary depending on the insurance company and the type of coverage being sought. However, common requirements include adequate security controls and policies, a robust incident response plan, and compliance with relevant laws and regulations.

There are several reasons why a company might be denied cyber insurance coverage. One of the main reasons is a lack of adequate security controls and policies. Insurance companies typically require companies to have robust security controls and policies in place in order to be eligible for cyber insurance coverage. If a company does not have sufficient controls and policies, or if those controls and policies are not properly implemented or maintained, the insurance company may deny coverage.

Another reason why a company might be denied cyber insurance coverage is a history of cyber-attacks or security incidents. Insurance companies often consider a company’s past history when evaluating its cyber insurance application. If a company has a history of cyber-attacks or security incidents, the insurance company may view the company as a higher risk and may deny coverage or charge higher premiums.

Additionally, a company may be denied cyber insurance coverage if they have not implemented a robust incident response plan. Insurance companies often require companies to have a detailed and effective incident response plan in place in order to be eligible for coverage. If a company does not have an incident response plan or if the plan is inadequate, the insurance company may deny coverage.

Overall, there are several reasons why a company might be denied cyber insurance coverage. These can include a lack of adequate security controls and policies, a history of cyber-attacks or security incidents, and a lack of a robust incident response plan. By addressing these factors, companies can increase their chances of being approved for cyber insurance coverage.