The Evolving Cyber Insurance Market

The cost of cyber insurance is on the rise with premiums jumping 50-100% in some cases. While inflation is all over the news, the rapid increase in cyber insurance premiums is more than just a simple increase in the cost of goods and services. It’s the market responding to the increased risk we face today.

The cyber insurance industry was due for correction

The cyber insurance market has and is continuing to undergo a market correction. On the backs of ransomware and the cyberthreat posed by the Russia – Ukraine war as well as numerous judicial decisions in lawsuits, the industry is after many years of soft markets, really starting to define right size for the market and the value.

Small businesses are no longer immune from the effects of data breaches. In 2020, 28% of data breaches targeted small businesses with an average cost between $36,000 and $50,000. For small-to-midsize companies, that cost rises to an average of $86,000. 

Direct-written premiums collected by the largest U.S. insurance carriers in 2021 swelled by 92% year-over-year, according to information submitted to the National Association of Insurance Commissioners, an industry watchdog, and compiled by ratings firms.

Cyber insurance can be unobtainable at any cost

As concerning as the rapidly increasing prices are, many prospects and clients are coming to us and stating they are being declined outright insurance at any price.

Some of this is based on the vertical and risk other times it is the inability to demonstrate good cyber hygiene. In fact, many insurers are using platforms to give clients and prospects security ‘credit scores’. These platforms use a variety of methods from public DNS and Shodan to buying defunct malware groups assets and reverse engineering the sites that the groups had attacked.

Strong cybersecurity can increase insurability

Like it or not the move toward stronger cyber practices is being driven by the insurance industry. So, what can businesses and organizations do?

As stated many times, an insurance company will approach this like a “safe driver discount”, if you can demonstrate a good cybersecurity program, they reduce rates and possibly expand coverage. In some states, cybersecurity safe harbor laws have gone into effect to protects business who can demonstrate framework alignment from claims being denied by insurers.

In order to demonstrate good cybersecurity practice, we recommend aligning to a known framework or standard. There are many good ones, but the usual lead is with NIST CSF. Aligning your security program with the CSF and having a 3rd party review and attest to your maturity and alignment can go a long way to assuring cyber insurers that you are a safe risk. It also provides other values of assuring you and your stakeholders that, at the very least, you can mitigate a basic cyber attack.

Steps to reduce your cyber risk

The next steps are to monitor and maintain the program through an integrated risk management platform like Foresite’s FIRM. This way if asked you can provide proof that you have not only implemented a robust set of controls but that you maintain it over time.

To be sure the landscape for cyber insurance is driving forward more mature cybersecurity programs. You can get a head of this by aligning to a framework.

Thomas Allen
Principal Consultant / Information Security Officer – C|CISO, CRISC, CCSP, ISO 27001 LA, CISA, CISSP, HCISPP, GCCC, GCFA at Foresite Cybersecurity | + posts

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity. 

Upcoming webinar: CMMC 101 - What Businesses Need to Know - Oct. 12, 2022 @ 2pm EST

Search