{"id":349,"date":"2024-09-24T10:01:00","date_gmt":"2024-09-24T10:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=349"},"modified":"2024-09-24T10:01:00","modified_gmt":"2024-09-24T10:01:00","slug":"cyber-insurance-price-hikes-stabilize-as-insurers-expect-more-from-cisos","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=349","title":{"rendered":"Cyber insurance price hikes stabilize as insurers expect more from CISOs"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Cyber insurance costs have stabilized over the past year following a period of rate hikes driven in large part by increased ransomware attacks.<\/p>\n

During the past few years, insurance payouts exceeded 70% of premiums, resulting in an unsustainable business environment for cyber insurers. Insurers responded to the burden of higher claims by raising premiums far above inflation levels, while imposing stricter underwriting requirements and, in some cases, coverage limitations.<\/p>\n

As a result, insurance premiums rose 50% in 2022<\/a>, according to Fitch Ratings, and while costs continue to rise<\/a>, the increments CISOs are encountering for cyber insurance have slowed of late.<\/p>\n

\u201cWe\u2019re now seeing a decline in ransomware incidents and payments, which is helping to stabilize costs,\u201d says Michael Robert, a cybersecurity specialist at GTA Bloom.<\/p>\n

Insurers\u2019 strict underwriting requirements and their insistence on better cyber hygiene practices from potential clients have also played a role in stabilizing the market, industry experts report.<\/p>\n

\u201cNow that we have passed the hard market, we are able to offset some of the need for rate and lessen the coverage limitations, as we\u2019ve seen cybersecurity posture improve across most industries and revenue bands,\u201d Emma Fekkas, regional vice president of underwriting at Cowbell Insurance, tells CSO.<\/p>\n

\u201cWhile strict underwriting requirements have not really changed, we are seeing better cybersecurity hygiene in companies seeking cyber insurance,\u201d she adds.<\/p>\n

Risk mitigation in an era of escalating cyber incident costs<\/h2>\n

Cyber insurance<\/a> is a specialized form of insurance designed to protect businesses from financial losses and liabilities arising from the effects of ransomware<\/a> or other forms of cyberattack and data breaches.<\/p>\n

Policies typically cover business interruption losses due to cyberattacks, the cost of recovering systems, legal fees, infosec consultant charges, the cost of notifying customers, and even (in some cases) ransomware payments \u2014 themselves still a contentious topic in among CISOs<\/a>.<\/p>\n

And the costs associated to data breaches continue to rise. According to research from IBM, the average cost of a data breach<\/a> jumped by 10% this past year, to US$4.88 million.<\/p>\n

\u00a0Ransomware has, by far, been the leading cause of cyber insurance losses, according to a cyber insurance trends report by insurer Munich Re<\/a>, which notes that manufacturing has been the sector with the highest number of ransomware claims. Zscaler Threat Labs\u2019 2024 Ransomware report confirms manufacturing is the most targeted industry<\/a> for ransomware, followed by healthcare, technology, and education.<\/p>\n

A 2024 study by Chainalysis<\/a> showed that ransom crypto payments nearly doubled in 2023 to US$1.1 billion, up from US$567 million in 2022. Other costly attack vectors were business email compromise (BEC) and supply chain attacks.<\/p>\n

Cyber insurance policies evolve<\/h2>\n

Businesses typically need to demonstrate strong cybersecurity practices to get cyber insurance coverage, and these baselines have been elevated as cyber events become more frequent and costly.<\/p>\n

Keith Povey, security evangelist at enterprise security monitoring tools vendor Panaseer, tells CSO: \u201cInsurers have had their fingers burnt on big payouts and are asking for more assurances from customers \u2014 some won\u2019t even give a quote unless companies can prove a certain baseline of security.\u201d<\/p>\n

Moreover, ransomware attacks have changed the market by pushing insurers to implement stricter underwriting processes, according to James Harrison, global head of insurance at commercial data analytics firm Dun & Bradstreet.<\/p>\n

\u201cMany insurance policies no longer offer full coverage for ransomware events, instead capping coverage for ransom payments,\u201d Harrison says. \u201cData-driven risk assessments are now a key tool for insurers, allowing them to identify cyber vulnerabilities within businesses. This means personalized policies can be adapted to a company\u2019s specific risk exposure.\u201d<\/p>\n

Regional differences on cyber insurance<\/h2>\n

Overall, the global cyber insurance market reached US$14 billion in 2023 and is estimated by Munich Re to further double to US$29 billion by 2027. Still, regional differences in prevalence of coverage and regulatory and legal contexts remain.<\/p>\n

For example, according to data presented at the Zywave conference in London earlier this year, the number of companies insured against cybersecurity risk was estimated to be 20% in the US, 12% in Germany, and 10% in the UK.<\/p>\n

That US cyber insurance figure is bigger because of the great maturity of the market there, as well as the greater risk US companies face from class-action lawsuits arising from data breaches than their European counterparts, observers say.<\/p>\n

\u201cThere has been a much higher uptake of cyber insurance in the US than in Europe,\u201d according to Claud Bilbao, UK regional vice president of sales and distribution at Cowbell Insurance. \u201cThis has been driven by a number of key factors, most notably the differences around approach to litigation and legal risk, the regulatory environment, cyber awareness, as well as insurance market maturity.\u201d<\/p>\n

Rick Betterley, author of The Betterley Report and an expert who has researched cyber insurance since 2000, adds that US corporate insurance advisers are more proactive when it comes to selling cyber insurance coverage.<\/p>\n

\u201cI suspect a broker in the US is more worried about getting sued by a client for not informing the client about cyber risk and insurance than in other countries,\u201d Betterley, president of Betterley Risk Consultants, tells CSO.<\/p>\n

Both US and European cyber insurance markets are expected to continue growing as cyber threats increase and awareness of risk management through insurance becomes more widespread.<\/p>\n

\u201cThe US cyber insurance market is larger, more mature, and characterized by higher uptake,\u201d says Cowbell\u2019s Bilbao. \u201cIn contrast, Europe\u2019s market is developing, with GDPR being a key driver of growth, but with slower uptake due to less perceived risk and lower market maturity.\u201d<\/p>\n

Another factor that may impact regional differences is that large companies sometimes need to contract with more than one cyber-insurance provider to cover their desired liability. With cyber insurance more prevalent in the US, this may mean more policies in play among its larger enterprises.<\/p>\n

\u201cA larger company may wish to buy higher limits than any single insurer will offer,\u201d Betterley says. \u201cSo in order to achieve the desired limits they might buy a base limit (i.e., $25 million) and layer another limit (say, $10 million) on top of that for a total of $35 million. Large companies in the US often buy several hundred million dollars of limits.\u201d<\/p>\n

Regulations also driving cyber insurance uptake<\/h2>\n

Regulation, and in particular the expansion of the NIS2 framework, are key factors driving the expansion of cyber insurance in Europe.<\/p>\n

NIS2<\/a> (Network and Information Systems Directive 2) comes into effect in October 2024, expanding the scope of sectors and entities covered by the EU-wide regulation.<\/p>\n

NIS2 imposes stricter cybersecurity requirements and risk management measures on organizations in 15 critical sectors instead of the previous seven and places a greater emphasis on security supply chains and the overall security of suppliers.<\/p>\n

More businesses, many of them small to midsize, in multiple sectors across Europe will need to comply with the directive. Organizations may turn to cyber insurance to help manage the financial risks associated with potential non-compliance or security incidents covered by NIS2.<\/p>\n

Moreover, cyber insurance providers often offer risk management services that can help organizations improve their security maturity.<\/p>\n

\u201cIf a company follows a cybersecurity framework, such as NIS2, there are processes an organization needs to put in place to comply \u2014 for example, crisis management, incident response, forensic services, etc. \u2014 as preparation for a potential cyber incident,\u201d Tony Anscombe, chief security evangelist at ESET, tells CSO.<\/p>\n

\u201cThese services or skill sets are not necessarily something you have to hand in operational teams, but they are typically provided by cyber insurers as part of the policy,\u201d Anscombe says.<\/p>\n

Any regulation that requires information disclosure \u2014 including but not limited to NIS2 and GDPR<\/a> as well as US regulations such as the California Consumer Privacy Act<\/a> \u2014 or that require incident response create a rationale for companies to invest in cyber insurance as part of their plans to improve their overall cybersecurity maturity.<\/p>\n

Other experts agree that regulations play a big role in motivating CISOs to buy cyber insurance.<\/p>\n

\u201cRegulations that impose costly response obligations on the breached organization make for a compelling reason to buy insurance\u201d, Betterley says.<\/p>\n

Most larger companies follow a framework or standard, such as ISO 27001<\/a>, for risk management. When companies follow a framework, they are naturally developing more mature security architecture and policies, making them easier to insure.<\/p>\n

\u201cIf a company does not follow a framework, they may be required by the insurer to implement additional protection and respond to any concerns the insurer highlights,\u201d ESET\u2019s Anscombe says.<\/p>\n

CISO liability becomes a factor<\/h2>\n

Recent US federal legislation and regulatory enforcement from the SEC has put CISOs in the firing line<\/a>, facing the threat of legal action if their organizations\u2019 actual security posture fails to match the assurances reported to investors.<\/p>\n

\u201cThis has increased jeopardy, and cyber insurance is evolving to encompass individuals as well as their employers,\u201d according to Panaseer\u2019s Povey. \u201cMany CISOs are now considering personal indemnity insurance and asking for it as part of their contract so they\u2019re covered in the event of a lawsuit\u201d.<\/p>\n

Doubts remain about whether CISOs are protected by employers only as long as they work for them, or for life. \u201cWe\u2019re approaching a scenario where CISOs could leave their company and then face a lawsuit from their ex-employer for security failings,\u201d Povey warned.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Cyber insurance costs have stabilized over the past year following a period of rate hikes driven in large part by increased ransomware attacks. During the past few years, insurance payouts exceeded 70% of premiums, resulting in an unsustainable business environment for cyber insurers. Insurers responded to the burden of higher claims by raising premiums far […]<\/p>\n","protected":false},"author":0,"featured_media":338,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-349","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/349"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=349"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/349\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/338"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=349"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=349"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}