The use of cyber policies has flourished in the last few years as organizations recognize insurance as another tool to manage risks to their business. Getting cyber insurance seems prudent because we can never entirely erase our risks. But the cyber insurance landscape is changing, and navigating it requires the understanding of many nuances. And now many CISOs are also wondering whether they should consider other alternatives.
The evolving cyber insurance market
The cyber insurance market is growing at a steady clip, likely to reach $28.6 billion in 2026 (up from $4.8 billion in 2018). A World Economic Forum survey of security leaders found that 71% of organizations have cyber insurance. But many find that premiums are going up while coverage and claim payouts are going down, and obtaining or renewing coverage has become much more complicated.
The most recent example of the shifting cyber insurance landscape was highlighted by Russia’s war on Ukraine. As fears unfolded about cyber attacks rising during the geopolitical conflict, insurers braced for the potential of mounting claims. In March 2023, the insurance and reinsurance marketer Lloyd’s of London—which had reported facing major demands related to various Russia-Ukraine war claims—will stop covering losses from state sponsored cyber attacks that occur in wartime.
These trends are troubling because most organizations do not have the resources to fight state-backed actors. Nation-state attacks are a major component of the reason why organizations need coverage, so this exclusion puts them in a precarious situation.
Nation-state attacks are not the first time the insurance industry has looked for ways to avoid or lessen coverage. Insurers experienced a huge rise in ransomware claims at the height of attacks in 2020 and 2021. For instance, Allianz Global Corporate and Specialty reported a 50% increase year-on-year in 2020, and claims in the first half of 2021 equaled those received in the entirety of 2020. The escalating costs of ransomware claims resulted in insurers raising their ransomware policy rates while others have stopped covering ransomware altogether.
Coverage and payouts are an increasingly complicated process
In the past, applying for cyber insurance underwriting was a straightforward procedure, typically only requiring completing a multi-page form. Today, due diligence demands for both new policies and renewals take CISOs hours as they complete lengthy questionnaires assessing their security posture.
Many underwriters also use third-party services that score security posture from an external view. Organizations viewed as high risk may end up paying higher premiums or may even be deemed uninsurable. This means customers constantly defend their scores—often by incurring added costs to satisfy these scoring vendors.
Adding to the pressure is that payouts for covered incidents come with caveats. For example, the insurance company may require that it approve the forensic firm used to investigate an incident. In contrast, the urgency to hire a firm is typically very short due to the fleeting nature of the evidentiary trail. Insurance companies often require very specific steps during incidents and deviating from those requirements could quickly get very expensive because only a fraction of the claim might be paid.
The challenge of understanding exactly what a policy covers adds to the difficulties. Industry history shows that some claims are denied on an overly specific reading of the language in a policy or even on how cyber-related losses occurred.
Navigating the complexities of cyber insurance
Given all the intricacies of cyber policies—not to mention increasing rates—more CISOs are looking elsewhere. One common topic of conversation among peers is self-insurance. This approach presents options such as an entirely self-funded or captive (where a company creates its own insurance company) program. The market has various tools available for organizations seeking alternatives for managing risk.
Whatever options CISOs are pursuing, they need to take the time to understand the nuances of the cyber insurance landscape and the trends within it. They should seek out their internal Risk Management and Legal partners to help them better understand the cyber insurance market and how they can better position their company for coverage and incident response. If they opt for traditional policies, they must understand what coverage they need, how their security posture affects their insurance policy and rates, and how to follow the rules of engagement with their insurance carrier.
Most CISOs realize they need cyber risk insurance in one form or another. As we all know, cyber attackers are unrelenting, and both the number of attacks and their costs continue to escalate. No matter how robust and comprehensive our controls are, there may always be vulnerabilities that adversaries can exploit, which means we need all the tools at our disposal for managing risk—insurance included.
This month’s CISO Hub further explores cyber insurance and offers a helpful resource of tips every CISO should follow when contemplating a new policy. Be sure to check it out.