Why are cyber insurance premiums going up, and how can you get a better deal?
It may not have attracted as much attention as the coronavirus, but ransomware has become a pandemic unto itself – and it’s sending the price of cyber insurance skyrocketing. Here’s what you can do to keep your premiums as low as possible.
Cyber insurance is a relatively new addition to the insurance market that helps to protect organisations from the fallout of being hacked.
According to the Insurance Council of Australia, cyber insurance is typically available to cover:
- Costs related to the loss of or damage to data
- Content-related claims related to data
- Costs to prevent future breaches
- Fines and penalties imposed by regulators
- Public relations costs
- Liability for denial of service from or access to electronically provided data
- Costs associated with cyber extortion reimbursement
- Compensation to third parties for failure to protect their data
But at a time when more organisations are clamouring for these sorts of protections, cyber insurance carriers are raising premiums and limiting the coverage they’re willing to offer.
In a recent report entitled Cyber insurance: A hard reset, multinational insurance broker Howden reported that global insurance pricing had increased by an average of 32 per cent from June 2020 to June 2021.
Similarly, insurance broker Marsh’s latest Global Insurance Market Index found that cyber insurance premiums shot up 56 per cent in the US and 35 per cent in the UK from the second quarter of 2020 to the second quarter of 2021.
Marsh reports that Australian businesses, specifically, have been slugged with cyber insurance premium jumps of up to 30 per cent, and those prices are expected to just keep rising.
Why are cyber insurance premiums going up?
Essentially, cyber attacks are becoming too common for the insurance sector, which relies on businesses insuring themselves against scenarios that might not end up happening for its profits. With hacks becoming a virtual inevitability, safeguarding businesses against them is an increasingly shaky prospect for insurers.
According to both the Howden and Marsh reports, it’s the frequency and severity of ransomware attacks – in which cybercriminals take control of a network and demand payment to hand it back – that are driving cyber insurance prices skyward.
The number of ransomware attacks worldwide shot up 170 per cent from the first quarter of 2019 to the fourth quarter of 2020, according to Howden, while the average cost of a ransomware attack is up 145 per cent in 2021 compared to 2020.
There are a number of reasons for the rise of ransomware, including the availability of low-cost ransomware kits and ransomware-as-a-service (RaaS) offerings that enable users to launch ransomware attacks without any technical expertise on their part, effectively lowering the barrier to entry to the cybercrime ‘industry’.
The proliferation of double extortion is also a factor – in a double extortion attack, not only do cybercriminals take control of your system and demand payment for its return, but they also threaten to leak the data they’ve stolen from you, and demand a separate payment not to do so. Ransomware group REvil had the dubious honour of being the first to use the double extortion tactic in June 2020, and it’s since taken off worldwide.
As is so often the case, the COVID-19 pandemic is also partly to blame. The sudden explosion in remote work and the acceleration in digitalisation that has come with that has exponentially increased the attack surfaces that are available to cyber criminals, and made it harder for breaches to be discovered.
IBM and Ponemon’s Cost of a Data Breach Report 2021 found that data breaches were 17.5 per cent more costly where remote work was a factor, and that organisations that had more than half of their workforce working remotely took 58 days longer to identify and contain breaches, on average.
Not only has the rash of ransomware attacks sent cyber insurance premiums soaring, it’s also affected the coverage that some insurers are willing to offer. In May, French insurance giant AXA announced it would no longer write policies that reimburse ransomware victims – and were immediately hit with a retaliatory ransomware attack – while other insurers are declining to take on new clients, or capping their coverage at about half of what they used to offer.
How can you lower the cost of your cyber insurance policy?
A wide range of factors can impact your cyber insurance premium, including the size of your business and its annual revenue, the industry you operate in, and the type of data you have access to.
But in much the same way that a high-risk driver will have to pay more for car insurance, the Howden report found that insurers are demanding more from business’ cybersecurity, and will charge organisations that are more likely to fall victim to a breach a higher premium – or refuse to insure them altogether.
This is in line with a recent letter from the Insurance Council of Australia to the Department of Home Affairs, in which the Insurance Council wrote: “Insurance underwriters place a strong focus on a customer’s risk management and security culture when reviewing, assessing and pricing the risk. Effective risk management, including a strong internal security culture, can be the most effective defence against threats.”
This might seem like a no-brainer, but it hasn’t always been this way. In the past, insurers might have just asked potential clients to fill out a questionnaire about their cybersecurity practices, and taken them at their word that their house was in order.
In today’s environment, however, these insurers are partnering with outside firms to vet potential clients’ cybersecurity protocols, and demanding to see evidence that they have appropriate controls in place and are following best practices, including using multi-factor authentication, implementing zero trust policies, and backing up and encrypting their data.
For instance, the IBM and Ponemon report on the cost of data breaches found that organisations using high standard encryption – at least 256 AES, at rest and in transit – had an average breach cost that was 29.4 per cent lower than organisations using low standard or no encryption. Insurers, who are likely to be aware of that data, might then offer broader cover and better pricing to organisations that can demonstrate they’re using strong encryption technology.
Companies who take a proactive approach by providing cyber security education for all employees, including advice on how to identify suspicious emails and requests, are also likely to be looked upon favourably by insurers.
“Carriers… are demanding extremely high cyber security standards,” says Shay Simkin, Global Head of Cyber at Howden.
“Impeccable cyber security hygiene is therefore crucial for companies looking to purchase cyber insurance cover. Not only does it open up capacity availability, it also helps provide more favourable pricing and terms.”
Or, as the Insurance Council of Australia puts it: “Capabilities that indicate a strong risk management and security culture may, for instance, include internal data handling and internet usage policies for all employees across the business, adequate prevention, detection, and response security capabilities and internal data breach incident response plans. Guidance and resources that support businesses, especially small businesses, to protect themselves against cyber threats can strengthen risk management and security practices.”
This isn’t a set-and-forget proposition, either. In many cases, insurers will reassess their policies every 12 months, so even after you use your organisation’s preparedness to get a good deal on cyber insurance, you’ll need to ensure you maintain those high standards and keep the proper procedures in place.
Then again, why wouldn’t you? Cyber insurance is not, in and of itself, a cybersecurity strategy, and no matter how low your premium is and how great the terms of your coverage are, it should only be used as a last resort. The best response to a breach is still to avoid being breached at all.
At the end of the day, if your business never has to make a cybersecurity claim, it’ll be a win for your insurer – but it’ll be a win for you and your clients and customers, too.
With its unique three-key encryption technology, Cryptoloc is the world’s safest cybersecurity platform. To show you take data management seriously, visit cryptoloc.com.