Cyber Insurance Rates are Climbing Like Crazy — Here’s How to Navigate
Heath Anderson | June 28, 2022
Cyber insurance rates have exploded — and coverage levels have shrunk — in response to the increased frequency and costliness of cyber attacks. Much like a homeowner’s insurance rates will likely increase after a nearby natural disaster, companies are paying the price for high-profile and expensive breaches.
How have cyber insurance rates changed? Direct-written premiums collected by cyber risk insurance carriers in the United States rose by an astounding 92% year-over-year in 2021. This increase is primarily a reflection of higher rates and expanded coverage.
Despite the increased expense, cyber insurance is still well-worth having for your organization. But, you’ll need to learn how to navigate cyber insurance differently. Here I’ve outlined why rates have risen and how your business can secure the best rates possible.
Expect Higher Premiums for Less Cyber Risk Insurance Coverage
Let’s back up, how do insurance companies make money? The general insurance business model, regardless of the type of insurance, is all about loss ratios. A loss ratio is a simple relationship between the dollar amount of premiums collected compared to claims paid, represented by a percentage. The lower the percentage, the more revenue the insurer keeps.
The average cyber insurance loss ratio rose to 72.8% in 2021, a 25% increase from 2019. To look at it another way, insurance companies only kept roughly 27 cents out of every dollar paid in premiums, when in 2019, they kept 52 cents. That means raising rates to make up for the higher loss ratio.
The dramatic change in the average loss ratio shows that these higher premiums don’t mean enhanced coverage. Additionally, many cyber insurance providers have added new exceptions to avoid paying on claims. For example, this cyber insurance provider specifies that they will not pay any claims due to using outdated or unsupported software or systems.
Plan for Thorough Due Diligence When Renewing or Starting Coverage
When you buy auto insurance, your driving history plays a significant role in determining your premium, and new apps that track driving habits will impact renewals. Cyber risk liability insurance premiums are similar — the better your cybersecurity posture, the better rates you’ll receive.
The due diligence process from a cyber insurance provider has become much more thorough than in previous years, expanding from 20-30 questions to sometimes over 200 as well as requiring interviews. Providers don’t want to insure a risky company that will negatively impact their loss ratios. Therefore, expect your entire risk posture to be assessed, scrutinized, and potentially render you ineligible for coverage.
But it's not all hopeless. Let’s go over a few key ways you can prepare for initiating or renewing cyber insurance coverage to get the best rate possible.
Start with a Broker — The Sooner the Better
Remember, the better your security, the better your rates. A cyber insurance broker can help you audit and improve aspects of your cybersecurity program before you start applying for quotes. Rather than improving your security with your best guesses, a broker can give specific insights to guide the process based on your industry, company size, and current risk profile.
In addition, the average due diligence process from a cyber insurance provider can take up to six months, and that includes renewals. Preparing ahead of time can help reduce this timeframe and get your company insured faster. A broker will help manage these processes across multiple insurer options to ensure you are able to meet your renewal date and hit your target coverage level through a single policy or by combining multiple supplemental insurance policies.
Strengthen Identity and Access Management
Identity and Access Management (IAM) is a core aspect of your cybersecurity profile and one that insurers are likely to focus on during due diligence. IAM embodies three pillars of security:
IAM is not a new concept, but next-gen security systems have greatly enhanced it. For example, rather than relying solely on usernames and passwords, IAM can leverage multifactor authentication (MFA), geolocation, device history, and user behavior to ensure that only authorized users access your resources.
Zero-trust architecture takes IAM to the next level by requiring users to continually prove their authenticity as they access different resources and systems. Users should only have the exact access levels they require to carry out job-related tasks, nothing more.
While most insurers today focus due diligence on requiring MFA and VPNs for your production access, these newer concepts like zero-trust, better protect your data are on the due diligence horizon as the space rapidly matures.
Have Robust Asset Management Programs
You can’t secure an asset if you don’t know it exists or don’t know about vulnerabilities facing known assets. An asset is any device, service, or resource in your organization.
Effective asset management provides proactive protection by perpetually discovering new assets and vulnerabilities. Additionally, should a cyber attack succeed, a quality asset management program will allow IT to quickly determine the attack's impact and start the incident management process.
A few aspects of asset management are:
Continuous policy enforcement
Demonstrating a thorough asset management program to cyber insurance providers will give them confidence in your ability to prevent attacks from occurring.
Improve Data Encryption and Networking
How secure is your data as it exists in multiple stages throughout your infrastructure, including third-party cloud providers? Cyber insurers will find out. Data encryption stages include:
Data in transit as it moves throughout the network.
Data at rest when stored internally or externally.
Data in use that has weaker protections than the above stages.
Which type of encryption should you use? That depends on the amount of data and who or what system needs to access it. You’ll need to examine your organization’s needs to determine how to best encrypt your data and the network it travels through.
Refine Your Incident Response Plan
Does your organization have a thoroughly documented incident response plan? Does it include what additional resources you will need on retainer in the event of an incident? Cyber insurance providers will review it and look for problems, they also will provide services and information to ensure your response will meet their requirements to make a claim. An ideal incident response plan ensures consistency from the response through the recovery effort, including what investigations are required prior to filing a claim.
Cyber insurers will want to see an incident response plan that includes the following steps:
Identification: Before taking any actions, security staff should review relevant security policies, identify affected assets, and prioritize critical affected assets.
Containment: The security team should be equipped to detect deviations from normal operations and understand if those deviations are due to the breach. Both short-term and long-term containment measures should be used, such as temporarily isolating a network resource or rebuilding affected systems.
Eradication: The root cause must be identified and corrected, such as removing malware or an unforeseen vulnerability.
Recovery: IT can now cautiously bring affected systems back online. Thorough testing and examination of affected resources should be conducted.
Improvements: Within two weeks of an incident, the security and IT should explore how to refine the organization’s security to prevent a similar incident from occurring in the future.
Each step, and potentially additional steps related to your organization, should become a thoroughly described policy that can be handed over to an insurer for review. Once you have selected your insurer or if you have combined multiple insurers to reach a certain coverage level, make sure that your incident response plan documents the specific parties such as external counsel, forensics, or additional responders so that the claims process can be achieved.
Quantify Risks to Illustrate Your Overall Security Posture
All of the steps above improve your security posture and help demonstrate to insurers that you are doing everything possible to prevent a cyberattack from succeeding. In the wake of lower coverage limits, the question of “how much coverage do we need?” is happening more often to determine if one policy or a combination of secondary insurance policies is required. To assist in that calculation, risk quantification can serve as a great baseline along with with your existing financial model to set the target limit.
Risk quantification is a process in which multiple aspects of your cybersecurity profile are evaluated and assigned understandable metrics and models, such as quantifying the potential cost of a breach. Platforms that quantify your risks can help streamline the decision-making process to ensure you are covered or can absorb the cost for the most likely risk scenario. A risk quantification platform can also help your IT staff communicate with decision-makers to demonstrate the prioritization and cost savings of remediating vulnerabilities or bolstering security against the cost of insuring or absorbing the risk directly.
Are you experiencing what many in the industry are quickly finding when trying to get to a certain cyber coverage number and realizing that limit isn’t cheap or easy to achieve as years past? Then, explore LogicGate’s Risk Cloud Quantify™ and see how our next-gen platform can help your company make more informed decisions to determine the right coverage level and demonstrate why remediation can help improve your company’s bottom line.