The first half of this year saw one cybersecurity vendor block 63 billion threats, a year-on-year rise of 50%, while cyber insurance costs shot up by 102% in the first quarter. Terms and conditions for coverage have also been tightened. Lloyd’s of London, for example, went as far as to eliminate coverage for breaches that arose directly from state-sponsored attacks, a sizeable portion of the overall damages accrued from ransomware.
Cyber insurance does not have a long history. The market, explains Mario Vitale, chief executive of cyber insurance provider Resilience., has only been around for about 15 years. “I have to say we are still within the infancy stage,” he says, a term that’s also relevant when describing the segment’s size.
“I think the insurers are still figuring out, ‘How confident are we in our ability to estimate and predict this risk?” says Josephine Wolff, a professor in cybersecurity policy at Tufts University. Over time, adds the professor, this has led to a “less stable market… and a lot of uncertainty in which people aren’t confident about what their cyber insurance will cover.”
Ongoing volatility is making reinsurers nervous
The process of drawing up cyber insurance policies is rigorous. It begins with an assessment of how well-equipped the client is to deal with a cybersecurity threat from a governance standpoint. Providers typically drill down into the mundanities of cyber defense: whether multi-factor authentication is in place on corporate devices, how data is uploaded to the cloud, and the extent of security awareness training among staff. But cyberattacks are happening so frequently that underwriting standards sometimes can’t match the fast development and sophistication of the hacks.
The solution? Some call for a federal backstop
Insurers are raising rates to levels that make it hard for businesses to find affordable coverage. A federal insurance backstop could close the gap as insurers cut coverage to limit their exposure.
Federal financial support for certain cyber risks would also give insurers relief and security to make cyber insurance more widely available, said Andy Moss, a partner at Reed Smith LLP. “A cyber insurer can write policies with comfort knowing it can transfer some risk to the government so that it can offer bigger policy limits for businesses,” Moss said.
The Treasury Department’s Federal Insurance Office is seeking comment on a list of questions, including what kinds of cyberattacks are “catastrophic,” whether businesses are getting enough coverage, and how to encourage policyholders to strengthen cybersecurity practices.
What to do now to protect your business
Even if you have a cyber insurance policy, there’s no guarantee the attack scenario you encounter is covered, as many organizations have needed to go to court over being paid out based on their policy.
So, the best plan is to have as secure an environment as possible – including securing your users with continual Security Awareness Training to minimize the threat of email- and web-based social engineering attacks designed to give attackers entrance into the organization’s network.
Yeo & Yeo Technology can help you get started.
Information used in this article was provided by our partners at KnowBe4.Preview