The Cyber Insurance Market Comes into Its Own
Over the past five years, the cyber insurance market has undergone significant maturation. Enhanced by a robust data repository and accumulated experience, insurers now possess a more precise framework for risk assessment and pricing. This has led to moderation in cyber insurance premiums despite an increase in claims frequency and severity in the first half of 2023 across businesses of every size.
The ever-evolving nature of the cyber landscape mandates continuous recalibration by insurers. Rigorous underwriting persists, with insurers prioritizing advanced cyber hygiene. Coverage terms, therefore, directly correlate with an organization’s readiness. For context, while claims and ransomware incidents declined in 2022, 2023 saw a resurgence. The U.S. experienced a 75% uptick in ransomware events within the first half of the year alone, as reported by Malwarebytes Inc.
Within the cyberthreat landscape, industries including financial services, professional services providers, technology services and software, and manufacturing find themselves particularly vulnerable. These sectors, along with associated supply chain entities, are exposed to high or extremely high cyberrisk levels (Figure 4). Leveraging specialized solutions offered by insurance brokers and carriers has emerged as a critical strategy for these organizations, enabling them to manage and mitigate the inherent cyberrisks more effectively.
The path ahead for the cyber insurance market is not without its challenges. External pressures such as looming inflation and the tightening of client resources could present significant hurdles. Even more concerning is a potential recession. Should this economic downturn materialize, it may constrain the ability of many companies to invest in cybersecurity due to restricted capital and limited availability of specialized talent.
In this report, we will explore the multifaceted dimensions of risk, claims, and pricing trends within the cyber insurance industry. We will illuminate the legal and regulatory landscapes that are poised to influence the future of cyberrisk management and highlight innovative strategies that are enabling businesses to strengthen their cyber defenses and reduce the potential financial impact of cyber incidents.
CYBER CLAIMS TRENDS AND COSTS
The global average cost of a data breach reached $4.45 million in 2023, a 2.3% increase from 2022 and 15.3% from 2020, according to IBM’s Cost of a Data Breach 2023 report. Both data at rest and data exchange are at risk, so organizations must have a multipronged strategy for protecting data repositories and cyber interfaces, which involves any process that relies on transmission over the internet.
Increasingly, hackers are using fileless attack software, meaning they don’t need to install malware on target systems. These attacks often begin with calls to an organization’s help desk to gain crucial data on the network. This is followed by a fraudulent call or emailed link to gain login and multifactor authentication details. Once the hacker is inside, it poses as the authorized user to set up all the accounts and code it needs to accomplish its goals—no malware needed. In fact, 71% of cybercrime detection identified malware-free activity, according to CrowdStrike.
Attacks on cloud-based interfaces also are increasing, with The Reality of SMB Cloud Security in 2022 report by Sophos indicating 56% of survey respondents had an increase in the number of attacks, 59% saw an increase in the complexity of attacks, and 53% said the impact of attacks on their cloud presence grew.
Of special note: small to midsize businesses comprised 98% of cyber claims from 2018 through 2022, according to NetDiligence’s Cyber Claims Study 2023, with an average cost per incident of $865,000 in 2022. Ransomware is the biggest threat, rising from $514,000 in SMB claims in 2021 to $555,000 in 2022, according to the study. Business interruption is one of the greatest problems resulting from a cyberattack for SMBs, with losses from such interruptions averaging $370,000 in the 2018-2022 time frame.
The top five causes of loss for SMBs, according to NetDiligence, are ransomware, business email compromise, hacking, theft of money, and staff mistakes. These are areas companies should be targeting with special attention since insurance companies are becoming more demanding when it comes to demonstrating cyber risk management.
RISK MITIGATION HELPS WITH PREMIUMS & COVERAGE TERMS
Insurers are insisting on robust cyber risk management before they agree to insure businesses. Companies with solid cyber protocols and no history of loss are the most attractive to insurers, but even with prior claims, businesses that can show they’ve made corrections are able to get coverage—and some on good terms.
Resource misconfigurations and unpatched weaknesses are the main problems for cloud-based cyberrisk, according to the Sophos report. The report further points out that it’s crucial to have visibility across all organizational resources and configurations to quickly identify problems and take action. This is an area where the vast majority of cloud users are weak. It requires 24/7 monitoring, for which many organizations don’t have the resources, as well as 24/7 immediate response capability.
We also have seen an uptick in lawsuits alleging privacy law violations and, in particular, pixel tracking technology. With states and national governments legislating data privacy regulations, the door for cyber-related directors and officers complaints is wide open as are regulatory investigations and shareholder derivative suits if stock value is impacted by a cyber failure.
As a result of these exposures, businesses are facing a more demanding underwriting process that includes thorough examination of a company’s security controls, internal processes, and procedures concerning cyberrisk. Underwriters are using third-party scanning technologies to help detect cyber weaknesses in clients seeking coverage.
Some insurers are including endorsements that exclude coverage for, or apply co-insurance to, specific problems identified in the underwriting review process. There may even be a review of an applicant’s partners’ cyber hygiene if those firms’ systems are deemed a potential source of vulnerability.