The Worsening Cyber Insurance Landscape: Top Survival Tips for Businesses

Rising insurance premiums and financial restraints are forcing many businesses to give up on cyber insurance. According to security experts, a lack of insurance cover could make them more vulnerable financially. But is there a way out for businesses, particularly SMBs operating on a tight budget? Let’s hear from experts.

Cyber insurance costs increasedOpens a new window by 102% in the first quarter of 2022. In addition, the number of companies facing coverage denials, severe coverage restrictions, or complete inability to pay for cyber insurance is expected to rise by 2023. These effects are unavoidable as the world experiences an alarming jump in cyberattacks, stricter regulations, and mounting financial difficulties due to recession.

Due to budget constraints, about 30% of small and medium-sized businesses (SMBs) discontinued their cyber insurance contracts in 2021. According to Jamie Akhtar, CEO and co-founder of CyberSmart, these numbers are highly concerning. 

Cyber insurance is a vital last line of defense for SMEs, and with many businesses canceling their policies, more and more are effectively gambling that they won’t be attacked. The results could be catastrophic.

– Jamie Akhtar, CEO and co-founder of CyberSmart

The state of the cyber insurance sector

Premiums are up, whereas the coverage limits and access to coverage are decreasing. In other words, it’s harder and more expensive to obtain the same coverage that businesses previously enjoyed, says Tim Marley, VP audit, risk & compliance, field CISO at Cerberus Sentinel. “This is a recurring theme amongst our clientele as well. Across the board, we’re seeing an ongoing struggle to obtain sufficient coverage with affordable premiums. A significant number of SME clients are dropping or reducing cyber insurance coverage as a result of these challenges.”

See More: Why Cyber Insurance Should Be a Part of Your Cybersecurity Strategy

Roger Grimes, data-driven defense evangelist at KnowBe4, seconds Marley. “It certainly is in a massive state of increasing requirements, increasing premiums, and lower coverage.” Ransomware and BEC scams have significantly interrupted the massive profit stream of the cyber insurance industry. He believes that even though cybercrime has been around since the beginning of computers, it has been a rare occurrence for decades. Cyber insurance firms could write as many policies as possible and still get 40% to 60% profits, but those days are long over. “There are fewer cyber insurance firms this year than in the previous few years. Customers have to prove they care about cybersecurity, and they will pay more to get less coverage.”

Scott Connarty, general counsel at Adarma, says, “Driven by heightened awareness of cyber threats, the rapid adoption of cloud computing, and the swift digitization of critical businesses such as financial services, there’s an exponential growth in the cyber insurance market with Europe being one of its fastest growing markets. “The cyber insurance market is continually evolving, and we are seeing the market begin to tighten its terms and conditions and thus the coverage of their cybersecurity policies.” 

Given the fast-evolving nature of the cyber threat landscape, the rising cost of ransoms, and increasingly rigorous regulatory controls, insurance companies will continue to review and refine their policies to provide greater clarity over what they will and will not cover.

– Scott Connarty, general counsel at Adarma

The pandemic’s impact on cyber insurance

Sam Soares, chief growth officer at CyberSmart, believes, “Cyber insurance finds itself in an odd bind. We’ve seen cybercrime increase dramatically over the course of the pandemic, making it more important than ever.” 

Yet, at the same time, the market for cyber security ($170bn) was 28 times larger than that of cyber insurance ($6bn) in 2020 and growth projections for 2027-28 will still place the security market at over 10x larger than the insurance market.

– Sam Soares, chief growth officer, CyberSmart

“So it’s clear that not enough organizations have cyber insurance. And, while that trend is set to change a little over the next five years, spending on insurance vs. security isn’t likely to be anywhere close to parity anytime soon,” adds Soares.

“Some of this is down to businesses’ perceptions of cyber insurance; it’s often poorly understood or viewed as a nice to have rather than essential. But it’s also the case, particularly for smaller businesses, that rising premiums are pricing them out of the market. To be clear, this isn’t the insurers’ fault, the rise in cybercrime has effectively thrown a spanner into the works for their traditional business model, but it’s clear something needs to change.”

Insurers have also changed tact and will only provide coverage to businesses that maintain a certain level of cyber security sophistication within their organizations.

– Scott Connarty, general counsel at Adarma 

“With cyber insurance no longer sufficiently protective or affordable in many cases, the most important risk mitigation exercise for companies in 2022 should be improving cyber security resilience and governance,” suggests Connarty. How? The top tips are listed below.

Top Tips To Stay Prepared Against Cyber-attacks

A defense-in-depth approach

According to Grimes, here are four things all defenders should do to mitigate hacker and malware attacks: 

• Better focus on preventing social engineering, using a best defense-in-depth combination of policies, technical defenses, and education.
• Patch software and firmware, especially listed on CISAOpens a new window ’s Known Exploited Vulnerability Catalog – the code vulnerabilities being exploited by real-world hackers against real-world targets.
• Use phishing-resistant multi factor authentication (MFA) to protect valuable data and systems.
• Using different, secure passwords for every site and service where MFA cannot be used.

Assess, determine, and be serious

Marley outlines another three key tips. The first is to keep in mind that the insurance market is all about risk. If you proactively assess your cyber security risk and then respond accordingly to address that risk, you’ll have greater access to coverage that meets your needs at a more affordable level. Therefore:

• Determine the appropriate methodology for managing risk in your organization and assemble a team with the capability to make risk decisions, and  
• Conduct a cyber security risk assessment for your organization, including internal and external systems, third parties in your assessment, and operational units. Don’t limit this to IT/OT. Be honest with yourselves about where you’re at. Do consider evaluating the maturity of your processes and skill capabilities. Finally, after scoring and ranking risks, make the hard decisions. 

The second is to determine the appropriate risk responses for each risk identified:

• Avoid/Mitigate/Accept/Transfer 
• Design a cyber security roadmap with projects that address the highest risks identified.  You won’t be able to tackle them all, so focus on the top ten.
• Continue monitoring your environment for changes to your risks. This includes monitoring an evolving threat landscape, newly identified vulnerabilities, and the dynamic nature of your information assets. Adjust your risk responses appropriately.

The last one is when you show your cyber insurance provider that you are taking your cyber security strategy seriously, they will respond favorably.

Be cyber resilient

Connarty advocates the need for organizations to pursue a road to self-insurance. “Organizations should continue to focus on strengthening their cyber resilience through the continuous evaluation of their preventative, detective, and response capabilities. Maintaining and improving cyber resilience is an ongoing process.”

Train staff and be proactive

Soares advocates for following the security controls outlined by the government’s Cyber Essentials certification. But we also suggest regular staff training in cybersecurity basics. “Human error causes the majority of successful cyber attacks, but if your people aren’t aware of which behaviors are harmful or what to look out for, they’re much more likely to fall prey to threats.”

He thinks we’re probably moving towards a time when insurers will begin to demand evidence that cybersecurity standards have been met before a policy is granted. Being proactive about your cybersecurity is the best way to get ahead.

See More: Cyber Risk Assessments: How to Reduce Risk and Optimize Insurance

Key Takeaway

Given the present situation, it is obvious that something needs to be done to make cyber insurance more affordable, especially for small or medium-sized enterprises. “A Saas-led approach with an incorporated insurance strategy that focuses on achieving fundamental cyber hygiene is one potential remedy,” suggests Akhtar. The use of technology by insurers to mitigate risk and lower premium costs has not been extensively implemented. As a result, insurers are forced to choose between offering competitive pricing and not controlling risk as they would with other products.

MORE ON CYBER INSURANCE

• ​​Cyber Insurance Growing Amid Increasing Risks to Data Protection
• Why Every Small & Mid-Sized Business Should Not Ignore Cyber Liability Insurance
• Ransomware Payments: Is Cyber Insurance With Proper Controls the Best Solution?