Cyber Insurance May Not Cover That Incident
Cyber Insurance Isn’t What It Used to Be for Insurers or Businesses
Cyber insurance has been a growing field. Once looked at as a potential profit center for insurance companies, the battering that insurers received in 2020 and 2021 is making them rethink that conclusion. With cybercrime numbers ballooning across the board, many businesses are taking a look at the potential impact of a cyberattack on their revenue then calling their insurance broker right away. But the cyber insurance market is more volatile than home or auto insurance, often leading to high pricing and strict coverage limitations. Can businesses rely on cyber insurance to protect their bottom line in case of cybersecurity trouble?
Are you ready to slay the Monsters of Cybersecurity? This checklist tells you what you’ll need to succeed! GET CHECKLIST>>
Insurers Are Feeling the Heat and Stepping Away from the Fire
The costs of cybercrime have been steadily escalating for businesses and insurers. In this year’s IBM Cost of a Data Breach Report, researchers determined that the average cost of a data breach in 2021 is estimated at $4.2 million per incident, the highest ever recorded in the 17 years of study. Add ransomware to that breach and businesses are looking at a bill of $4.62 million before any ransom paid is even factored in.
Ransom amounts are also rising. In IBM’s Cyber Resilient Organization Study, researchers looked at organizations that had fallen victim to ransomware and what their ransom demands looked like. The majority of respondents, 46% said that cybercriminals demanded ransoms of $2 – 10 million from their organizations and 19% reported a ransom demand of $10 million to more than $50 million. Ultimately, they determined that just 35% of the impacted organizations reported a ransom demand of less than $2 million. A report in Tripwire drilled deeper, revealing that the average ransoms paid by organizations have increased by 82%. The average demand is now a record $570,000 (£414,000), compared with just $170,000 (£123,000) in 2020.
Dive into how to reduce your client’s risk of phishing fast with the tips in The Phish Files. DOWNLOAD NOW>>
Insurance Companies Aren’t Profiting Like They Expected
Covering cyber incidents has not panned out as a new profit center for insurers. Fitch Ratings calculated that direct written premiums for property/casualty cyber insurance, which often include ransomware coverage, more than doubled from just over $1 billion in 2015 to $2.3 billion in 2019. During the same period, insurers’ direct loss ratio, a measure of the proportion of collected premiums that get paid back out to clients making claims, never surpassed 50% between 2015 and 2019. But that sweetheart deal did not last. Data from leading analytics firm S&P Global shows that the loss ratio from cyber insurance has risen in recent years. From 43 cent for every dollar in 2016, the figure has jumped to 73 cents per dollar in 2020. That means that insurers are making much less money than they used to from cyber insurance, but they’re paying out more money.
The newly released Corvus Risk Insights Index for Q4 2021 outlines some of the ways that insurers have been taking damage from cyber insurance claims. The report says that insurers saw a steady increase in the frequency of ransomware claims from Q2 2020 through Q1 2021, leveling off in Q2 and Q3 2021.In their Anatomy of a Ransomware Claim, research shows that the bills are universally on the rise. The cost of the ransom payment itself is rising as a share of the overall cost, clocking in at 30% of the total. Bills for the breach response cost a company can expect to pay, up by more than 20%. One major increase has been in the costs of the vendors who assist in forensics and recovery efforts increasing from 30% to 52%.
The Computer Security To-Do List helps companies build a strong security culture. DOWNLOAD IT NOW>>
Big Exposure With Little to Show for It
The Harvard Business Review showcased an excellent breakdown of the short-term problem with cyber insurance from an insurer’s perspective provided by risk adjudicator PCS. The 500 companies that they count worldwide carrying $100-199 million in insurance represent approximately one-quarter of the total global cyber insurance premium. It would only take a handful of losses from those insureds to wipe out the $1.44 billion in premium they generate for insurers.
That loss to insurers becomes even steeper as the coverage amounts for insureds go up. PCS estimates that companies with at least $200 million in cyber insurance account for a bit more than 20% of the estimated $5 billion in the global cyber insurance premium kitty, amounting to roughly $1.1 billion in premium. If those 250 companies buy at least $200 million in protection, it would only take five insured losses of a bit more than that amount to wipe out an entire year’s premium – and only 2% of the companies in the market are buying that much coverage. An estimated 40 companies worldwide carry at least $500 million in protection, in that pool, two total losses could wipe out a year’s premium. PCS speculates that it would take insurers half a century to earn enough premium to compensate.
Insurance Costs Are Rising
The epic rise in cybercrime is directly responsible for the major rise in pricing for cyber insurance. Cyber insurance premiums are up by 56% in the US and 35% in the UK. Insurance industry experts point to ransomware as the cause of such steep increases. Ransomware cyber insurance claims worldwide clocked a 260% increase in 2020. Risk management professionals will not be pleased by expected premium spikes in 2021 heading into 2022, with a typical premium spike of 30%-45%. Sectors hit hard over the past year, including education, government, healthcare, construction and manufacturing, have seen premiums increase by 300% or more at renewal time.
Insurers are increasingly placing restrictions on the coverage that companies can buy for cyberattacks because of the frequency and severity of cyberattack losses, especially ransomware, and that’s something most business executives may not be expecting. AIG has also announced that it is tightening restrictions on cyber insurance policies and raising or maintaining high premiums. AIG’s premium prices are up by more than 40% worldwide.
Faced with numerous time-consuming and expensive complications combined with escalating risk, many major insurers are getting out of the game altogether or ratcheting up their requirements so tightly that it discourages new business simply to protect their organizations from paying out high dollar claims. The venerable insurer Lloyd’s of London has captured about a fifth of the global cyber market, but it is not feeling very optimistic about continuing to pursue that business. Reuters reports that Lloyd’s is discouraging its 100-odd syndicate members from taking on cyber business next year.
Are your systems and data really safe? Our Cybersecurity Risk Protection Checklist will help you find & fix vulnerabilities. GET IT>>
To Pay or Not to Pay…
Ransom payments and whether or not to pay them is a hot topic for cyber insurers too, and many of them are opting out of the payment chain. Insurance giants like AXA have announced that they will no longer underwrite cyber insurance policies to reimburse companies for ransom payments after cyberattacks. Paying ransoms is an increasingly complex and controversial topic. In the US, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced that paying ransom to cybercriminals is likely to be unlawful. Organizations that pay ransoms to cybercriminals or facilitate ransomware payments on behalf of victims, including financial institutions, cyber insurance firms and companies involved in digital forensics and incident response, are violating OFAC regulations.
Unfortunately, far too many businesses still aren’t taking security seriously, setting their organizations up for trouble that could drive it to make a claim and find out that their incident isn’t covered. In a recent CNBC /Momentive Small Business Survey, 56% of the SMB owners surveyed said they are “not very concerned” about being the victim of a cyberattack in the next 12 months, and among those, 24% said they were “not concerned at all.” It’s not just at the SMB level that business decision-makers are overconfident about their company’s data security. Bigger businesses aren’t taking the threat of a cyberattack any more seriously. Over 65% of senior-level decision-makers said they didn’t believe the businesses for which they’re responsible would ever fall victim to a cyberattack.
Learn how to defeat terrifying cybersecurity monsters to keep systems & data safe in a dark world! READ IT IF YOU DARE!>>
Rely on Security Instead of Insurance to Protect Your Business from Cybercrime Losses
Businesses cannot rely on insurance to be a viable safety plan in the event of a cyberattack. That makes it imperative that organizations prevent themselves from being in a position to make a claim. The ID Agent digital risk protection platform can help.
Passly includes an array of identity and access management tools cited by experts as key security moves that add immediate protection against human error disasters. Your savings and benefits begin immediately with robust functionality. Essentials like multifactor authentication and single sign-on make remote management and access control easy. Automated password resets will make your IT team happy and give them more time.
Dark Web ID enables you to get a clear picture of your company’s credential compromise threats from dark web sources. Our 24/7/365 always-on monitoring alerts businesses to credentials appearing on the dark web that may have been stolen or phished to mitigate the risk of bad actors using a stolen password to gain access to your systems and data. Automated alerts and reporting means that your team doesn’t need to spend time staring at a dashboard or pulling reports.
BullPhish ID improves your staff’s security awareness and increases phishing resistance. But they’ll learn about much more than just phishing including compliance, password safety, security hygiene and more, giving every employee a solid grounding in cybersecurity pitfalls and best practices. Choose from our plug-and-play complete training modules and phishing simulations or customize the content to reflect the unique industry risks those employees face daily.
See them in action in these short demonstration videos: https://www.idagent.com/learn-more
Contact our solutions experts today to learn how your business can benefit from strong, affordable security and receive a personalized demonstration.
See how ransomware really works, who gets paid & what’s next in our tell-all Ransomware Exposed! DOWNLOAD IT>>