{"id":567,"date":"2024-10-10T07:00:00","date_gmt":"2024-10-10T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=567"},"modified":"2024-10-10T07:00:00","modified_gmt":"2024-10-10T07:00:00","slug":"cyber-insurance-explained-costs-terms-how-to-know-its-right-for-your-business","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=567","title":{"rendered":"Cyber insurance explained: Costs, terms, how to know it\u2019s right for your business"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

What is cyber insurance?<\/strong><\/h2>\n

Cyber insurance, also known as cyber risk insurance or cyber liability insurance coverage (CLIC), is an insurance policy that helps cover costs associated with data breaches or cyberattacks. Cyber insurance mitigates the risk exposure of a business by offsetting costs involved with damages and recovery from a cyber event. Policies typically include underwriting requirements and coverage limitations, and provide cyber defense baselines necessary for coverage.<\/p>\n

What does cyber insurance cover?<\/strong><\/h2>\n

\u201cIn its rawest and simplest form, cyber insurance provides cover for everything that happens following a cyberattack, including financial, operational, reputational, and personal protection,\u201d says Ed Ventham, co-founder of UK-based specialist cyber insurance brokers Assured.<\/p>\n

Cyber insurance policies are becoming more diverse as the market matures, and the finer details regarding what one policy covers often differs from another depending on several factors. Nonetheless commonalities across most cyber insurance policies include:<\/p>\n

Losses resulting from business interruption (lost revenue from systems being down or encrypted)<\/p>\n

Contingent business interruption (lost revenue from systems being down due to a third party\u2019s failure, such as an IT vendor)<\/p>\n

Digital asset destruction<\/p>\n

Data retrieval and system restoration costs<\/p>\n

System failure<\/p>\n

Cyber extortion\/ransomware<\/a><\/p>\n

Social engineering<\/a> and cybercrime, and network security and privacy liability<\/p>\n

Incident response<\/a><\/p>\n

Crisis services<\/p>\n

Legal and regulatory expenses<\/p>\n

According to a recent report by NetDiligence, incident response accounts for the largest cost in a claim.<\/p>\n

\u201cMany businesses, especially small to midsize, do not have the resources on hand to respond to an incident,\u201d says Tony Anscombe, chief security evangelist at ESET. \u201cTypically, an insurer will have a team in place to assist as needed.\u201d<\/p>\n

Cyber insurance also often offers financial protection from litigation in the wake of cyber incidents.<\/p>\n

Emma Werth, RVP of underwriting for the East Coast at Cowbell, a provider of cyber insurance for small and midsize enterprises, says that insurance helps breached organizations claw back notification and legal costs.<\/p>\n

\u201cThere is an increasing trend of \u2018data breach ambulance chasers\u2019 with class-action lawsuits regarding data breaches on the rise,\u201d Werth explained. \u201cNotification costs and ancillary services, such as credit monitoring, are becoming increasingly important due to these claims.\u201d<\/p>\n

In the past few years, insurers have significantly narrowed coverage definitions, requiring stricter adherence to security standards<\/a>.<\/p>\n

\u201cMany insurers now carefully assess a company\u2019s cybersecurity posture before offering comprehensive coverage, and some risk areas \u2014 like certain types of ransomware payments \u2014 may be excluded altogether,\u201d said Sami Dhifi, cyber risk services lead at global management consultancy Alvarez & Marsal.<\/p>\n

Cyber insurance costs, terms, conditions<\/strong><\/h2>\n

Leading the trends affecting demand for and cost of coverage, policy terms and conditions, requirements, and limits is ransomware<\/a>.<\/p>\n

Ransomware has been the single biggest loss vector for insurers<\/a> reaching a point where payouts exceeded 70% of premiums. Insurers responded by not only raising premiums but imposing stricter underwriting requirements<\/a> and, in some cases, applying coverage limitations.<\/p>\n

\u201cThe 2020\/2021 \u2018ransomware pandemic\u2019 shaped the pricing of the \u2018hard market,\u2019 as ransomware groups were moving faster than regulation and security,\u201d says Assured\u2019s Ventham. \u201cToday, security thresholds have caught up. A large part of this has been driven by insurance,\u201d as the standards and requirements to purchase cyber insurance are much higher than before.<\/p>\n

The cost of cyber insurance premiums<\/a> rose dramatically in 2021 and 2022, driven by a surge of ransomware-related claims that put a strain on insurers and threatened the viability of the market. Insurance premiums rose 50% in 2022<\/a> before a more recent decline in ransomware incidents and payouts helped to stabilize costs.<\/p>\n

Matthew Bell, owner of IT consulting and services firm Bell ICT, says increased competition in cyber insurance is also helping to drive down price pressures despite the continuing prevalence and severity of ransomware.<\/p>\n

\u201cRansomware attacks continue to increase but surprisingly this hasn\u2019t resulted in increased pricing,\u201d according to Bell. \u201cThis pricing stabilization is driven by more MGAs [Managing General Agent, a specialized type of insurance intermediary] and insurers entering the market.\u201d<\/p>\n

As for conditions, exclusions lists that could void coverage or see claims denied or reduced because of fine print are on the rise, according to\u00a0Delinea\u2019s 2023 State of Cyber Insurance report<\/a>, based on a survey of more than 300 organizations. These include lack of security protocols (43%), human error (38%), acts of war (33%), and not following proper compliance procedures (33%). Lack of security protocols is the top reason smaller organizations have had claims denied (40%), while human error is the top reason larger organizations have had claims denied (48%).<\/p>\n

The Delinea report also indicated that not all costs involved in a data breach may be covered, with policies least likely to pay for lost revenue, regulatory fines, legal fees, and ransomware payments. Respondents said expenses most likely to be recouped were those spent on data recovery. However, data recovery can mean different things to different insurers and in different situations.<\/p>\n

Cyber insurance security control requirements<\/strong><\/h2>\n

Organizations applying for cyber insurance policies must display that they can meet security control requirements that insurers look for when considering a potential policyholder\u2019s risk status. Insurers typically assess security controls by asking applicants to complete detailed questionnaires<\/a>.<\/p>\n

\u201cInsurers understand risk and if they require the insured to have MFA [multifactor authentication], managed detection and response, and the many other requirements, this is because it statistically reduces their risk of a claim being made,\u201d ESET\u2019s Anscombe tells CSO.<\/p>\n

Security advisors and consultants say they see insurers asking more questions of those seeking insurance policies. They\u2019re requiring proof that applicants have achieved certain levels of security hardening, such as\u00a0SOC 2 compliance<\/a>. They\u2019re reviewing security strategies and policies as well as security training and awareness programs. This in turn has required more involvement from enterprise security leaders in the insurance procurement process.<\/p>\n

\u201cIf you want to get your claim, you usually have to use their panel of vendors or follow their procedures,\u201d says Michael Pisano, a managing director at global consulting firm Protiviti. For example, they will be required to have detailed response and recovery plans in place \u2014 in the event of an incident, insurers want clients to meet specific requirements, such as which lawyers should be used and what forensics should be performed, and by whom. As a result, he says CISOs need to understand those requirements and incorporate them into their playbooks.<\/p>\n

Even then, there is no guarantee that insurers will cover the losses, experts warn, requiring organizations to prove that their security teams followed through on all plans and continuously maintained the security levels they described when getting their policies.<\/p>\n

Cyber insurance exclusions for state-backed cyberattacks<\/strong><\/h2>\n

In August 2022, insurance marketplace Lloyd\u2019s of London announced<\/a> it would introduce cyber insurance exclusions for \u201ccatastrophic\u201d state-backed attacks. In a market bulletin published on Aug. 16, 2022, Lloyd\u2019s stated that while it \u201cremains strongly supportive of the writing of cyberattack cover\u201d it recognizes that \u201ccyber-related business continues to be an evolving risk.\u201d Therefore, the company moved to require all its insurer groups to apply a suitable clause excluding liability for losses arising from any state-backed cyberattack in accordance with several requirements.<\/p>\n

The policy to add a clause excluding liability for losses arising from any state-backed cyberattack in standalone cyberattack policies came into effect at the end of March 2023.<\/p>\n

Speaking to CSO, Jonathan Armstrong, lawyer and partner at compliance firm Cordery, says the biggest issue organizations and CISOs face in relation to the exemption put forward by Lloyd\u2019s surrounds accurate attack attribution. \u201cWhilst with specialist help you can often say that there are indicators of nation-state involvement, we know it\u2019s hard to be certain. It\u2019s these difficulties which are likely to lead to litigation, as the insurers may think there is nation-state involvement, but the insured might think this is not the case,\u201d he says. Putting proper procedures in place will be key, and to get attribution right an organization will need proper and effective monitoring on its systems to assist in an investigation, Armstrong adds.<\/p>\n

However, Assured\u2019s Ventham says state-backed cyberattacks are excluded only if the threshold for \u201cwar\u201d or \u201ccyber war\u201d is met \u2014 a condition never met even by the most destructive state-backed cyberattacks ever recorded.<\/p>\n

\u201cWar is typically defined in cyber insurance policies in its most traditional sense, think physical acts of war (invasions, boots on the ground),\u201d according to Ventham. \u201cCyber war is typically defined as a state-backed cyberattack (or series of state-backed cyberattacks) that seriously impacts another state\u2019s ability to function or seriously impacts its defence capabilities, for example.\u201d<\/p>\n

Ventham concludes: \u201cFor clarity, no cyberattack in history, not even the NotPetya attacks in 2017<\/a>, would have triggered the war exclusion found in cyber insurance policies.\u201d<\/p>\n

There is some disagreement, even among specialist cyber insurers, on whether war exclusions ought to concern business leaders because they might become an issue in potential claims.<\/p>\n

Cowbell\u2019s Werth tells CSO that war exclusions are still very much a feature of many cyber insurance policies.<\/p>\n

\u201cWe\u2019re noticing a growing trend of carriers introducing \u2018War Exclusions\u2019 onto their policies to exclude state-backed cyberattacks, with varying degrees of coverage reinstated through \u2018carvebacks\u2019 for cyber terrorism,\u201d Werth explains. \u201cA carveback is an exception to an exclusion that restores coverage in specific scenarios, meaning that while state-sponsored attacks may generally be excluded under war clauses, cyberterrorism might still be covered under certain conditions depending on the policy\u2019s wording.\u201d<\/p>\n

Werth adds: \u201cThese exclusions started during the hard market and have become relatively commonplace across cyber insurance offerings.\u201d<\/p>\n

Lloyd\u2019s markets continue to apply the war exclusion to their policies meaning all state-backed cyberattacks are excluded.<\/p>\n

\u201cCompany markets (non-Lloyds) have the freedom to not include a war exclusion, however, in nearly all cases we see some form of exclusion which is tantamount to the Lloyd\u2019s war exclusion,\u201d according to Bell.<\/p>\n

<\/a>Cyber insurance statistics<\/h2>\n

Databarracks\u2019 Data Health Check<\/a> \u2014 an annual survey of 500 UK IT decision-makers \u2014 found that while more organizations than ever have cyber insurance, the number of claims is down.<\/p>\n

Two-thirds (66%) of those surveyed report having insurance specifically for cyber in 2024, rising from 51% over the past two years. But as more organizations take out policies, just 36% made a claim this year, falling from 58% in 2022.<\/p>\n

In previous years, the majority of organizations chose to pay out in the event of an attack but this year twice as many organizations were able to recover data from backups rather than meeting the demands of ransomware groups.<\/p>\n

The amount organizations are claiming against their cyber insurance policies has also decreased, with claims over \u00a31 million decreasing from 48% to just 16% in 2024.<\/p>\n

A separate survey of 300 IT decision-makers from security vendor Delinea paints a contrasting picture. It found that cyber insurance claims remain high, with 62% of respondents filing a claim in the past 12 months. Notably, over 27% of these respondents have filed multiple claims.<\/p>\n

How to assess your cyber insurance needs<\/strong><\/h2>\n

Once a company has understood the state of the current cyber insurance market and the scope of coverage, it can then explore whether a policy will be of benefit.<\/p>\n

Assured\u2019s Ventham offered a checklist for how organizations should go about assessing their cyber insurance needs:<\/p>\n

What would be the impact if you had a cyberattack that took your business offline for a day, a week, or a month, etc.?<\/p>\n

How quickly would you prevent that attack from spreading?<\/p>\n

What risk can you afford to take on yourselves?<\/p>\n

How prepared are you to respond to an incident?<\/p>\n

What are you looking for in a cyber insurance partner? Is your insurer addressing your risk and concerns? Are you confident they will pay out?<\/p>\n

Richard Seiersen, chief risk technology officer at Qualys, who previously worked in the same role for cyber insurance provider Resilience, says organizations need to quantify what they stand to lose from potential attacks, ransomware in particular.<\/p>\n

Losses fall into three categories: extortion, business disruption and potential data breach.<\/p>\n

\u201cAs a defender you are exposed to all three of these loss classes,\u201d according to Seiersen. \u201cKeep in mind that around 70% of ransomware attacks include data breach, but that more modern attacks may be data breach-only to motivate extortion.\u201d<\/p>\n

You will also have to assess the current state of your security operations and be prepared to make investments to improve those operations should an insurer require you to do so after performing a pre-insurance audit.<\/p>\n

\u201cMany insurers will now conduct a pre-insurance scan of public-facing infrastructure and assets,\u201d ESET\u2019s Anscombe says. \u201cThe scan will highlight any existing weaknesses, such as unpatched servers, public facing RDP [Remote Desktop Protocol] servers, expired certificates, and the like.\u201d<\/p>\n

While inspections of internal systems is typically excluded from these audits they nonetheless offer insurers insights into a potential client\u2019s security maturity, allowing them to assess their risk profile.<\/p>\n

The process of meeting the insurers requirements should, at least in theory, reduce the risk for a company whether they opt to adopt insurance or not.<\/p>\n

\u201cInsurance firms could be at the forefront of a new wave of \u2018baseline standards\u2019 which could be much more dynamic and responsive to the threat landscape than any international standard or industry regulator,\u201d Proofpoint\u2019s resident CISO Andrew Rose adds.<\/p>\n

Is cyber insurance worth it for your business?<\/h2>\n

Insurance policies can help organizations recover following a successful attack and can help reduce risk. They can also enable organizations to earn business, as many organizations require it from their vendors and partners.<\/p>\n

Even so, some organizations find they can\u2019t justify paying the premiums; some \u2014 particularly small and midsize enterprises \u2014 find they can\u2019t meet the controls insurers now require. Still others decide they\u2019re better off investing in their security programs rather than in insurance.<\/p>\n

\u201cYou have a decision to make as a business what you can afford. It\u2019s a cost-benefit analysis,\u201d says Protiviti\u2019s Pisano.<\/p>\n

To make this decision, CISOs are being called to work with risk, legal, and other executives to evaluate their organization\u2019s cybersecurity postures, articulate the threat landscape, quantify risks, and make recommendations on the best path forward, he says.<\/p>\n

For some, the decision ends up being to avoid making the cyber insurance investment<\/a>.<\/p>\n

More on cyber insurance:<\/strong><\/p>\n

Cyber insurance price hikes stabilize as insurers expect more from CISOs<\/a><\/p>\n

17 cyber insurance application questions you\u2019ll need to answer<\/a><\/p>\n

7 reasons to avoid investing in cyber insurance<\/a><\/p>\n

Cyber liability insurance vs. data breach insurance: What\u2019s the difference?<\/a><\/p>\n

What you should know when considering cyber insurance<\/a><\/p>\n

How cyber insurance shapes risk: Ascension and the limits of lessons learned<\/a><\/p>\n

Time and effort to obtain cyber insurance increasing for US businesses<\/a><\/p>\n

This article was originally published on Oct. 5, 2022, and has been updated since.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

What is cyber insurance? Cyber insurance, also known as cyber risk insurance or cyber liability insurance coverage (CLIC), is an insurance policy that helps cover costs associated with data breaches or cyberattacks. Cyber insurance mitigates the risk exposure of a business by offsetting costs involved with damages and recovery from a cyber event. Policies typically […]<\/p>\n","protected":false},"author":0,"featured_media":568,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-567","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/567"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=567"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/567\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/568"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=567"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=567"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=567"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}