Share

Tackling the Growing Problem of Cyber Liability Insurance Costs

If you’ve tried to acquire a new cyber liability insurance policy recently, you’ve probably found that to be more difficult than anticipated. If you were fortunate enough to find a carrier offering coverage to your organization, you aren’t alone if sticker shock sets in from the quoted costs of premiums.

The cybersecurity threat landscape has gone from bad to worse with the increase in attack vectors like exploiting third-party vendors and ransomware attacks, with the latter increasing 57% over the past year. These have presented higher risk exposure and significant impact imposed on victims ranging from expensive financial losses, operational halts, and damaging reputational fallout.

To further complicate things, the challenges driving the rise in coverage costs cannot simply be pointed to insurance providers raising premiums to meet high profit margins. The loss ratio that cyber liability insurers are incurring has skyrocketed from 25% just two years ago to 73% now. This means that for every dollar that went into cyber insurance premiums, 73% are being paid out in claims. That abnormal ratio is alarmingly high given the overhead and administrative costs associated with a policy. As a result, cyber liability insurance carriers have been losing money, and a lot of it. Hence the hesitancy of many insurance companies to offer cyber liability coverage and the drastic increase in the pricing of premiums that carriers have been forced to impose just to break even.

What is Contributing to the Chaos?

The supply of insurers is not meeting the high demand

It may have taken a little while for organizational risk leaders to catch onto the extreme risk exposure that cyber-attacks are causing, but there’s nothing like an ongoing ransomware epidemic to bring attention to those who were previously underestimating the severity of the cyber risk landscape. Businesses are hemorrhaging seven-figure payouts to ransomware criminals who exploit weak internal controls and force organizations into a no-choice scenario in order to recover their data and systems. The world has now taken notice, and there has been a flood of demand for the still relatively novel field of cyber liability insurance and not enough carriers offering coverage, creating a market imbalance.

Applying standard price modeling is challenging  

Writing coverages for cybersecurity exposure is inherently challenging. Quantifying potential risk exposure from a cyber breach does not follow the standard predictability models that actuaries use to measure risk, like in established coverage areas such as healthcare, property and casualty, and life insurance. In those scenarios, actuaries can quantify the cost of potential healthcare needs or the value of a house or car. Projecting the fallout from a data breach or ransomware event is much more challenging. The average amount demanded by ransomware criminals has been volatile and seemingly unpredictable. This has forced insurance providers to include maximum limits capping the amount that a coverage will payout, like with life insurance. However, life insurance has many more data trends to rely on to help project the duration of any given policy and when that policy will come to term. With cyber liability coverage, an incident of varying liability is just as likely to happen next week as it is next year.

Ineffective internal controls over cybersecurity  

Unfortunately, adequate cybersecurity controls to mitigate known vulnerabilities have not kept up with the pace at which cyber criminals are exploiting those weaknesses. Many organizations still do not have a complete view of what data is deemed to be sensitive or confidential and where this data resides. Lack of effective cybersecurity governance and adoption of a formal framework such as NIST Cybersecurity Framework (CSF) or CIS Critical Security Controls is another gap area leading towards organizations not having effective cyber controls to protect their data from bring breached. Organizations are still playing catchup and the insurance industry has taken notice. Much like how insurance companies will not insure a motorcycle that has no functioning brakes, they also will avoid writing cyber liability insurance to organizations without adequate controls in place to help prevent a breach. Many organizations cannot demonstrate that they have simply assessed their risks over cybersecurity, let alone have adequate mitigation controls in place. Therefore, insurance companies are hesitant to write affordable coverages due to the higher likelihood of unmitigated risks being exploited.

What Can Organizations Do Now?

Perform a cybersecurity risk assessment

Completing a cybersecurity risk assessment addresses two important areas. 1) Helps your organization identify unmitigated cyber risk areas and the action items needed to remediate those vulnerabilities, further lessening your likelihood of a cyber incident. 2) Shows insurance companies that you take cybersecurity seriously, lessening your likelihood to be classified as a high-risk policyholder to help drive down exorbitant premiums.

Address high risk gap areas

Given how far behind many organizations are in establishing a mature cybersecurity control environment, addressing all remediation areas at once may not be practical. Underwriters will look to see that a slew of expected security controls are in place when assessing the insurability of any given organization. These include areas like the use of multi-factor authentication for accessing systems and data, maintaining a regular patch management function, utilizing offline immutable backup solutions, and administering regular security awareness training programs. When confronted with a significant number of gap areas, strategically choosing which high-risk unmitigated vulnerabilities to address may be more cost-beneficial given the immediate risk reduction that can be realized.

Invest in high priced coverage now to save later

At this stage, finding cost-effective cyber liability coverage may not be an option. Demonstrating that cybersecurity risks have been assessed and mitigated will certainly help lower costs, but organizations still may face an undesirable cost point for premium payments. Given the alternative option of having no coverage at all in the current “not if but when” data breach landscape is also unadvised. Making the investment now to spend high on cyber insurance, even a small amount of coverage, may pay dividends in the long run. Similar to how insurance premiums are lowered for good drivers or healthy patients, establishing a track record of strong internal control hygiene and preventing breaches can lower premiums over time, establish rapport with insurance carriers, and lead to higher coverage limits.

How Centri Can Help

At Centri, our IT risk and cybersecurity advisory services are designed with your greatest assets in mind — your people. We’re here to offer you the support, resources, and expertise you need, exactly when you need it most. Our advisory experts work alongside your senior leadership to help understand your current needs and align them with the right solutions. Please contact us for more information or to explore how our expertise in cybersecurity risk management aligns with the specific needs of your company.