Better Security Measures May Reduce Cyber Insurance Premiums
Fortifying your security with better controls, greater employee awareness, and a formal security budget could also lower your cyber insurance premium.
Key Points
- To help outsource their security risk, more companies are purchasing cybersecurity policies.
- A company’s industry, location, revenue, and intangible assets all figure into insurers’ premium calculations.
- Better security measures can help keep premiums in check.
- But with cyber threats surging and more claims being paid, cyber insurance premiums are still likely to rise.
Shrewd businesses are fortifying themselves against ransomware and other cyber perils. In the process, they may also be reducing their cyber insurance premiums.
“More people are buying cyber insurance because awareness has been raised, and this is accelerating due to the increased reliance on technology during lockdown,” says Jennifer Braney, a broker with Capsicum Reinsurance Brokers LLP, a large provider of cyber reinsurance.
Cybersecurity policies cover the cost of data recovery and legal liabilities, and even pay for negotiators who can converse in the malicious actors’ native language.[i] The breadth of these policies varies and insurers may offer incident response services and indemnity, which covers the cost of recovery and any liability associated with the cyber event.
To price their policies, insurers scrutinize many facets of a business, from whether it’s proactive and focused on resilience to its awareness, comprehension, and approach to managing the risk. Their view is that cybersecurity insurance shouldn’t be a company’s only defense against cyber risk; strong organic cybersecurity should come first.[ii]
“Underwriters expect businesses to meet specific standards for security controls and be able to demonstrate and evidence how seriously they are taking it,” explains Sebastien Plummer, another Capsicum broker. “If they don’t have controls in place, that’s not to say that they can’t obtain cyber insurance—they just may pay more for it.”
Putting a chief of security or a large security team in place may seem like the best way to demonstrate a security mindset, but it’s even more meaningful to have a security budget that’s allocated on an annual basis. Other factors that figure into an insurer’s ratings assessment include whether the CEO is engaged and whether the CTO and CISO directly report to the CEO, demonstrating that senior management takes cybersecurity seriously. To assess this, some insurers engage in conversations with the CFO or CTO.
Smaller Companies, More Vulnerability
Compared to large corporations, small and medium-sized companies and startups are often less aware of their vulnerabilities and risk exposures, and may be less resilient when faced with cyber threats. They also may lack the resources to employ an entire security team to oversee their defenses, but they can compensate by signing on with a cybersecurity service.
“Outsourcing makes financial sense and can ensure that they’re staying ahead of their peers,” says Plummer. In this way, they can avoid becoming the “low-hanging fruit” that attracts bad actors. “A service gives you an 800-line to call in the A team and have your event taken care of by people who are extremely skilled and know exactly what to do in that very time-critical moment,” he explains.
Factors Affecting Premiums
Other factors that play into how premiums are calculated include the company’s industry, its location, and, most importantly, its revenue. “Revenue is probably the key rating metric that helps underwriters understand the potential financial impact of a cyber event,” says Plummer.
Yet another consideration is the value of the company’s intangible assets and the data that it collects about its customers. Known as PII, for personal identifiable information, insurers will assign it a dollar value.
Industries with greater exposure to data privacy risks, such as financial services, healthcare, and retail, are expected to have more robust security measures in place.[iii] Retail, with its customer databases and loyalty programs, and government agencies that collect great stores of personal data on U.S. residents, are frequently targeted by malicious actors.[iv] But according to a recent Wall Street Journal Pro survey, just 42% of government agencies provide cybersecurity training.[v]
Underwriters delve into how likely it is that bad actors will focus on the industry that the policyholder operates in,[vi] and they weigh the company’s various attributes, using their own models, to rate the risk. “Each industry has its own exposures, its own type of sensitive information,” says Plummer, adding that insurance company underwriters take this into account when assessing the likelihood that a company will be attacked.
Security Awareness Training
Employee and executive awareness training should also be a priority for all companies, large and small.[vii] It not only figures into how insurers set their rates, but heightening employees’ security awareness can significantly reduce cyber risk. The WSJ Pro survey found that companies that provided executive-level training were better equipped to identify and protect critical data (84% compared to 72%), more likely to have cyber insurance coverage (63% versus 51%), and much more likely to have established an incident-response plan (84% versus 70%).[viii]
Security awareness training also helps reassure an insurer that the company takes cybersecurity seriously, which can help keep a cyber policy premium in check.
The Rate Outlook
The cyber insurance market has ballooned to an estimated $2 billion in North America and $3 billion globally, making it the fastest growing insurance category, and the U.S. is the biggest cyber insurance market. While many large companies with high exposure to data privacy risks already have cyber programs in place, the small and medium enterprise market is rapidly growing—61% since 2017.[ix]
As the number of ransomware and other types of cyberattacks continues to rise, the cost of cyber insurance is projected to increase between 5% and 25% over the next few years.[x] But the growing popularity of these policies is also contributing to the higher premiums. Says Plummer, “Cyber insurance is a real tangible way of transferring risk off your own balance sheet. But given that the number of claims is growing, it’s not surprising that premiums are also on the rise.”
The Bottom Line
Putting security controls like secure email gateways, endpoint protection, and a firewall in place; demonstrating that senior management takes the problem seriously; conducting awareness training; and designating an annual security budget can all help reduce a company’s cybersecurity insurance premiums and deductibles. But while these measures can hold down the cost of a policy, with the number of threats growing and more claims being paid, cyber insurance premiums are still expected to increase between 5% and 25% over the next few years.
[i] “Insurers look to curb ransomware exposure as U.S. cyber rates rise,” Reuters
[ii] “Cyber insurance policies evolving to meet emerging risks — and premiums reflect it,” CIO Dive
[iii] “Using Cyber-Insurance to Improve Cyber-Security: Legislative Solutions for the Insurance Market,” Obama White House
[iv] Post-Pandemic Cyberattacks Target Vulnerable Industries, Cyber Resilience Insights
[v] “Which Industries Aren’t Ready For a Cyber Attack?” Wall Street Journal
[vi] “The Role of Cyber Insurance in Securing the Private Sector,” FDD
[vii] The Role of Executive Training in Building Cybersecurity Culture, Cyber Resilience Insights
[viii] “Which Industries Aren’t Ready For a Cyber Attack?” Wall Street Journal
[ix] “Here’s What’s Happening With the U.S. Cyber Market,” Risk & Insurance
[x] “Insurers look to curb ransomware exposure as U.S. cyber rates rise,” Reuters
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!