Rethinking Cyber Insurance

Until recently, the underwriting process for cyber insurance was relatively unsophisticated. Insurance company underwriters didn’t have enough data to accurately gauge and price cyber risk, so most applicants filled out a very basic form and received coverage. Because it was easy to get, cyber insurance quickly became de rigeur. The policies were profitable for brokers and carriers, while customers were satisfied to transfer at least a portion of the risk off their balance sheets.

Most companies continue to recognize the value of a cyber insurance that helps defray the costs of a computer breach. However, changes to the cyber threat landscape are making these policies harder to obtain and narrower in the coverage they offer. As a result, even when a company has cyber insurance, it may not cover the totality of its losses due to a cyberattack.

Against this backdrop, there are stark differences in how companies view cyber insurance and the role that it plays, including whether or not these policies can serve as a substitute for developing a comprehensive cyber preparedness program.

The Shifting Cyber Insurance Landscape

In recent years, the volume and risks associated with a cyber breach have continued to mount, and the number of ransomware attacks in particular has exploded. As this was happening, many of the cyber insurance policies that were written provided coverage for the cost of investigating and recovering from a ransomware event, including the cost of the ransom, if it was paid. This disincentivized companies from investing more in cybersecurity, even as the threat level kept rising. Money that could have gone towards improving businesses’ cybersecurity postures was spent elsewhere, leaving the insurance carriers on the hook for hundreds of millions of dollars of ransomware costs.

Unsurprisingly, this led insurers to become more selective about what they will cover and to whom they will provide coverage. The cost of policies has risen and — even more concerning from the standpoint of the insureds — coverage limits have not kept pace with the scope and scale of the losses they might incur from a cyberattack.

The days when insurance companies were willing to accept the entire risk of a data breach or fraud are over, and carriers now expect customers to proactively reduce their exposure to these threats. A recent report from the cyber insurance company At-Bay provides a window into this current state of affairs¹. At-Bay’s analysis of email-related claim filings submitted by its 40,000 small and midsize business policy holders between mid-2018 and May 2022 found that: 

• There’s a significant difference in claim frequency among insureds using different email security solutions. The gap between the best and the worst solutions was 53%.
• Those with a Mimecast email security solution reported the lowest number of incidents. On average, those using Mimecast experienced 22% fewer incidents compared to the population of At-Bay insureds using an email security solution as a whole.
• Having a top-tier email security solution in place can lower cyber insurance premiums by up to 50%.

The Bottom Line

An insurance policy cannot replace a company’s own cyber preparedness plan. While it may make financial sense to insure against cyber risk, even the best cyber insurance can only compensate for damage that’s already been done; it can’t prevent the damage from occurring in the first place. Only an organization’s own cybersecurity defenses can do that. 

1 “Ranking Email Security Solutions,” At-Bay