What you should know when considering cyber insurance in 2023

As the frequency and severity of ransomware, phishing, and denial of service attacks has increased, so has demand for cyber insurance. About $6.5 billion in direct written premiums were recorded in 2021, a 61% increase over the prior year, according to an October 2022 memorandum from the US-based National Association of Insurance Commissioners. “Some companies see it as essential to their risk management strategy,” says Heather Engel, managing partner at advisory firm Strategic Cyber Partners.

However, experts say that cyber insurance might not be readily available to all who want it in 2023. Enterprise executives are finding that policy costs are rising, and insurers are asking for more proof that strong cybersecurity strategies are in place before agreeing to provide coverage. Many companies may have no choice but to meet such terms, as more organizations are requiring that their business partners have cyber coverage.

Such market dynamics mean that CISOs now have a much bigger role in discussions about and procurement of their organization’s cyber insurance policies. “It’s a conversation that needs to be happening across the C-suite, with the CEO, risk management, and the CISO. They all need to be thinking about the risk management strategy writ large,” says Tracy Wilkison, senior management director at FTI Consulting.

How cyber insurance has changed

Early versions of cyber insurance policies date back to the late 1990s, although organizations then and through the early part of this century typically relied on more conventional insurance policies to cover cyber events. That changed around 2015, as more insurers started to offer standalone cyber insurance policies.

Around the same time, some insurers started to argue that more general insurance policies shouldn’t cover cyberattack losses. That message hit home after the 2017 NotPetya attacks when some claims were denied on the basis that cyberattacks initiated by bad actors allegedly backed by nation-states were to be considered acts of war and thus excluded under the existing policy language.

Two notable legal cases followed.

Merck & Co., the pharmaceutical company, sued its insurer after being denied coverage under its all-risk property insurance coverage for its reported $1.4 billion in losses. A New Jersey court judge in early 2022 ruled in Merck’s favor.

In the second case, the multinational food and beverage company Mondelez International sued its insurer after having a claim denied following a 2017 attack. It settled with its insurer, Zurich American Insurance, in 2022.

Such insurer actions combined with the growing volume of successful cyberattacks and increasing resultant costs have fueled a growing interest in standalone cyber insurance policies, says Alla Valente, a senior analyst with Forrester Research. Yet that interest comes as insurance is becoming harder to obtain, she says. Several years ago, organizations that wanted coverage could generally get a policy with relative ease. “But then the pandemic hit, and not only were insurers getting lots of business disruption claims, they were also seeing a significant increase in cyberattacks,” she says.

Moreover, Valente says insurers around that time were seeing that cyber incidents, their fallout, and the recovery costs were much harder to predict than real-world events about which they had long histories of actuarial data. “For example, if a business is interrupted by a flood, they’re going to see certain losses and there are predictable parameters—it’s a contained event, happening in a certain locality,” Valente says.

“But that’s not how cyber events work; events can be widespread. In this ecosystem of relationships that every organization now has, [an attack] is like a disease where it starts in one place and can spread very, very quickly. So, if one company is a victim of a cyberattack, everyone they do business with can be impacted.”

Obtaining cyber insurance means meeting increasing requirements

Insurance provider Hiscox surveyed 5,181 companies of varying sizes and sectors in eight countries for its 2022 Cyber Readiness Report and found that 64% had cyber insurance either as a standalone policy or part of another policy, up from 58% two years earlier.

The Hiscox survey also found that the percentage of companies reporting a cyberattack in the prior 12 months increased year-over-year: 48% in 2022 compared to 43% in 2021. The median cost of an attack also rose 29% to just under $17,000. And 20% of companies that suffered an attack said their solvency was threatened, an increase of 24% from the prior year.

Meanwhile, Delinea, which makes privileged access management software, in November published a cyber insurance report based on a survey of 300 US-based IT decision-makers that found 80% of companies with cyber insurance have had to use their policies and more than half of those have used it multiple times.

Insurers have responded to the increasing number of claims and costs by requiring organizations to have robust security controls and to demonstrate that those controls are working. “You used to fill out a basic questionnaire and you could get a policy. But that has changed over the past several years,” Engel says. “Now insurers require more controls such as multi-factor authentication (MFA) or you either won’t get a policy or won’t get complete coverage. And now companies are being asked to provide incident response plans.”

Cyber insurers asking for more from applicants

Security advisors and consultants say they see insurers asking more questions of those seeking insurance policies. They’re requiring proof that applicants have achieved certain levels of security hardening, such as SOC 2 compliance. They’re reviewing security strategies and policies as well as security training and awareness programs. “Insurance companies are taking a closer look at all of those,” Wilkison says.

This in turn has required more involvement from enterprise security leaders in the insurance procurement process. “What CISOs are seeing is that they’re going to have to be more involved in showing their readiness levels,” Wilkison says. CISOs may also have to make adjustments to their strategies based on insurer demands.

“If you want to get your claim, you usually have to use their panel of vendors or follow their procedures,” says Michael Pisano, a managing director at global consulting firm Protiviti. For example, they will be required to have detailed response and recovery plans in place—in the event of an incident, insurers want clients to meet specific requirements, such as which lawyers should be used and what forensics should be performed, and by whom. As a result, he says CISOs need to understand those requirements and incorporate them into their playbooks.

Even then, there is no guarantee that insurers will cover the losses, experts warn, requiring organizations to prove that their security teams followed through on all plans and continuously maintained the security levels they described when getting their policies.

Valente points to a 2022 case filed in an Illinois federal court by Travelers Property Casualty Company of America against International Control Services. Travelers Insurance asked the court to allow it to rescind a policy it issued to ICS, saying it shouldn’t have to pay ICS’s ransomware claim because ICS allegedly misrepresented its use of MFA. “So, if something lapses, your company could be on the hook for more [of the incident response costs] or it could mean the policy is null and void,” Valente says.

Companies rethink cyber insurance approaches as costs increase

These dynamics mean that executives are not only seeing more stringent requirements to obtain cyber policies, they’re also seeing the costs of those policies climb. As Wilkison explains: “There’s a huge increase in ransomware attacks and other types of attacks and that means insurance companies are paying out a lot more in ransomware and breach costs, so they’re increasing prices. Prices have really skyrocketed.”

Some 75% of those surveyed for the Delinea report said they saw their premiums increase the last time that they renewed their policies. At the same time, experts say policies vary in their coverage. The Delinea report found that only about 30% of organizations had policies covering ransomware, ransom negotiations, and decisions on ransom payment. Only 48% said their policies cover data recovery, and about a third said their policies cover response, regulatory fines, and third-party damages.

Given the rising costs and limitations on coverage, some organizations are evaluating their options. As Engel says: “It begs the question if the policy is worth what you’re paying for it, and that’s something only the company itself can answer.”

Is cyber insurance worth it in the long run?

Of course, insurance policies can help organizations recover following a successful attack and can help reduce risk. They can allow organizations to compete and earn business, as many organizations now require it from their vendors and partners.

Even so, some organizations are finding that they can’t justify paying the premiums, even if it might cost them business opportunities; some—particularly small and medium-sized enterprises—are finding that they can’t meet all the controls that insurers now require before issuing coverage. Still others are deciding they’re better off investing more in their security programs rather than in insurance.

“I have some clients—and they tend to be larger—who have looked at costs of cyber liability as costs have gone up, and the benefits and the drawbacks, and they’ve decided it’s not worth the coverage. They’re taking the money they would have paid into the policy and setting it aside and they’re saying they’re going to just deal with it in-house,” Engel says. “That’s not the solution for everybody; it’s not for those who don’t have tools to identify when a breach is happening and who can’t do the investigative work. But for companies with that depth or the ability to outsource it, that’s something they’re starting to take a look at.”

Not surprisingly, CISOs and other executives don’t publicly discuss such deliberations or their policies, noting that they don’t want to create any incentives for hackers to attack them by disclosing whether or what they have for cyber coverage. But experts confirm that those discussions are increasingly happening.

And they confirm that in those cases, CISOs are being called to work with risk, legal, and other executives to evaluate their organization’s cybersecurity postures, articulate the threat landscape, quantify risks and make recommendations on the best path forward, Pisano says.

“You have a decision to make as a business what you can afford. It’s a cost-benefit analysis,” he adds.