Rising insurance premiums and financial restraints are forcing many businesses to give up on cyber insurance. According to security experts, a lack of insurance cover could make them more vulnerable financially. But is there a way out for businesses, particularly SMBs operating on a tight budget? Let’s hear from experts.
Cyber insurance costs increased by 102% in the first quarter of 2022. In addition, the number of companies facing coverage denials, severe coverage restrictions, or complete inability to pay for cyber insurance is expected to rise by 2023. These effects are unavoidable as the world experiences an alarming jump in cyberattacks, stricter regulations, and mounting financial difficulties due to recession.
Due to budget constraints, about 30% of small and medium-sized businesses (SMBs) discontinued their cyber insurance contracts in 2021. According to Jamie Akhtar, CEO and co-founder of CyberSmart, these numbers are highly concerning.
Cyber insurance is a vital last line of defense for SMEs, and with many businesses canceling their policies, more and more are effectively gambling that they won’t be attacked. The results could be catastrophic.
– Jamie Akhtar, CEO and co-founder of CyberSmart
The state of the cyber insurance sector
Premiums are up, whereas the coverage limits and access to coverage are decreasing. In other words, it’s harder and more expensive to obtain the same coverage that businesses previously enjoyed, says Tim Marley, VP audit, risk & compliance, field CISO at Cerberus Sentinel. “This is a recurring theme amongst our clientele as well. Across the board, we’re seeing an ongoing struggle to obtain sufficient coverage with affordable premiums. A significant number of SME clients are dropping or reducing cyber insurance coverage as a result of these challenges.”
Roger Grimes, data-driven defense evangelist at KnowBe4, seconds Marley. “It certainly is in a massive state of increasing requirements, increasing premiums, and lower coverage.” Ransomware and BEC scams have significantly interrupted the massive profit stream of the cyber insurance industry. He believes that even though cybercrime has been around since the beginning of computers, it has been a rare occurrence for decades. Cyber insurance firms could write as many policies as possible and still get 40% to 60% profits, but those days are long over. “There are fewer cyber insurance firms this year than in the previous few years. Customers have to prove they care about cybersecurity, and they will pay more to get less coverage.”
Scott Connarty, general counsel at Adarma, says, “Driven by heightened awareness of cyber threats, the rapid adoption of cloud computing, and the swift digitization of critical businesses such as financial services, there’s an exponential growth in the cyber insurance market with Europe being one of its fastest growing markets. “The cyber insurance market is continually evolving, and we are seeing the market begin to tighten its terms and conditions and thus the coverage of their cybersecurity policies.”
Given the fast-evolving nature of the cyber threat landscape, the rising cost of ransoms, and increasingly rigorous regulatory controls, insurance companies will continue to review and refine their policies to provide greater clarity over what they will and will not cover.
– Scott Connarty, general counsel at Adarma
The pandemic’s impact on cyber insurance
Sam Soares, chief growth officer at CyberSmart, believes, “Cyber insurance finds itself in an odd bind. We’ve seen cybercrime increase dramatically over the course of the pandemic, making it more important than ever.”
Yet, at the same time, the market for cyber security ($170bn) was 28 times larger than that of cyber insurance ($6bn) in 2020 and growth projections for 2027-28 will still place the security market at over 10x larger than the insurance market.
– Sam Soares, chief growth officer, CyberSmart
“So it’s clear that not enough organizations have cyber insurance. And, while that trend is set to change a little over the next five years, spending on insurance vs. security isn’t likely to be anywhere close to parity anytime soon,” adds Soares.
“Some of this is down to businesses’ perceptions of cyber insurance; it’s often poorly understood or viewed as a nice to have rather than essential. But it’s also the case, particularly for smaller businesses, that rising premiums are pricing them out of the market. To be clear, this isn’t the insurers’ fault, the rise in cybercrime has effectively thrown a spanner into the works for their traditional business model, but it’s clear something needs to change.”
Insurers have also changed tact and will only provide coverage to businesses that maintain a certain level of cyber security sophistication within their organizations.
– Scott Connarty, general counsel at Adarma
“With cyber insurance no longer sufficiently protective or affordable in many cases, the most important risk mitigation exercise for companies in 2022 should be improving cyber security resilience and governance,” suggests Connarty. How? The top tips are listed below.
Top Tips To Stay Prepared Against Cyber-attacks
A defense-in-depth approach
According to Grimes, here are four things all defenders should do to mitigate hacker and malware attacks:
Assess, determine, and be serious
Marley outlines another three key tips. The first is to keep in mind that the insurance market is all about risk. If you proactively assess your cyber security risk and then respond accordingly to address that risk, you’ll have greater access to coverage that meets your needs at a more affordable level. Therefore:
The second is to determine the appropriate risk responses for each risk identified:
The last one is when you show your cyber insurance provider that you are taking your cyber security strategy seriously, they will respond favorably.
Be cyber resilient
Connarty advocates the need for organizations to pursue a road to self-insurance. “Organizations should continue to focus on strengthening their cyber resilience through the continuous evaluation of their preventative, detective, and response capabilities. Maintaining and improving cyber resilience is an ongoing process.”
Train staff and be proactive
Soares advocates for following the security controls outlined by the government’s Cyber Essentials certification. But we also suggest regular staff training in cybersecurity basics. “Human error causes the majority of successful cyber attacks, but if your people aren’t aware of which behaviors are harmful or what to look out for, they’re much more likely to fall prey to threats.”
He thinks we’re probably moving towards a time when insurers will begin to demand evidence that cybersecurity standards have been met before a policy is granted. Being proactive about your cybersecurity is the best way to get ahead.
Given the present situation, it is obvious that something needs to be done to make cyber insurance more affordable, especially for small or medium-sized enterprises. “A Saas-led approach with an incorporated insurance strategy that focuses on achieving fundamental cyber hygiene is one potential remedy,” suggests Akhtar. The use of technology by insurers to mitigate risk and lower premium costs has not been extensively implemented. As a result, insurers are forced to choose between offering competitive pricing and not controlling risk as they would with other products.
This content was originally published here.