Navigating Cyber Security Insurance - Dynamic Computing

According to the Office of the Director of National Intelligence, 2023 was a watershed year for ransomware globally, with the number of attacks rising by a staggering 74 percent over the previous year.

This sizable jump led to another record being broken, as businesses spent more than $1 billion on ransom payments for the first time.

As the number of attacks — ransomware or otherwise — continues to grow at an alarming rate, so does the demand for cyber insurance. 

In fact, just five years ago, the cyber insurance market was $5.8 billion. Three years later, it had more than doubled to $11.9 billion. And by 2025, it’s expected to nearly double yet again, reaching $22.5 billion.

It’s not just large corporations creating such a bullish market for cyber insurance. Increasingly, small and mid-sized businesses are feeling the need to invest in it for several compelling reasons, including:

• The staggering costs of data breaches, from legal fees and regulatory fines to the costs of notifying customers, hiring an incident response company, and conducting a forensic investigation.
• Regulatory requirements for data protection, such as CCPA, that come with hefty fines for non-compliance.
• The ability to recover more quickly — and greatly reduce costs — from downtime and data recovery
  
  

A complicated knot

While the growing number of companies, small and large, getting cyber coverage is a good thing, it’s also coming at a cost as insurance companies are increasingly making the process of obtaining coverage more complicated.

In fact, in an effort to reduce the number of claims and manage their own risks, insurance providers are increasingly:

1. Implementing more rigorous underwriting processes to assess the cyber security posture of prospective policyholders. This may involve detailed questionnaires, on-site assessments, and the requirement for businesses to demonstrate compliance with industry best practices.
   
   
2. Requiring businesses to undergo cyber security audits as part of the application process. These audits evaluate a company’s existing security measures and identify vulnerabilities that need to be addressed before coverage can be granted.
   
   
3. Boosting premiums and deductibles for policies to manage their own financial risks and ensure that businesses have a strong incentive to maintain robust cyber security measures.
   
   
4. Adding more exclusions and limitations to cyber insurance policies. For example, some policies may exclude coverage for certain types of cyber attacks, such as state-sponsored attacks or acts of war. Others may limit the amount of coverage available for specific incidents, such as ransomware attacks.
   
   
5. Requiring businesses to implement specific cyber security controls as a condition of obtaining coverage. This may include multi-factor authentication, regular security training for employees, and the use of advanced threat detection tools.

The effects of these changes go beyond creating more hoops for companies to jump through in order to get insurance. 

Increasingly, it’s making deciding what coverage a company should get — even understanding the process for getting coverage — more difficult, particularly for small and mid-sized businesses. So to help clear the air a bit, here’s a quick explanation on how it works:

Cyber insurance policies typically offer a combination of first-party and third-party coverages. The former helps the insured business itself, while the latter protects against claims from third parties.

First-party coverage can cover things like the costs associated with responding to a data breach, such as notifying affected individuals, providing credit monitoring services, and conducting a forensic investigation, as well as incident response and remediation. 

Additionally, first-party coverage can compensate a company for lost income and other costs incurred from a cyber attack that disrupts operations, as well as ransom payments from ransomware attacks.

Third-party coverage, meanwhile, often covers legal fees and settlements due to a company failing to prevent a breach or attack, the costs of defending against claims related to the unauthorized disclosure of sensitive information, as well as regulatory fines and penalties.

A necessary headache

With cyber threats omnipresent and ever-evolving, cyber insurance has become an essential component of a comprehensive risk management strategy for businesses.

Few small to mid-sized companies, however, have the time, resources, or experience to modernize their underlying IT infrastructure before applying for coverage.

That’s where the experience and expertise of a managed IT services provider comes in. 

It is our job to not only understand the process of getting cyber insurance coverage, but to also help companies navigate the complexities of applying for coverage.