The average cost for cyber insurance rose about five percent in 2019 despite the large increase in the number of attacks and claims files, a new report has found.
The business insurance advisory firm AdvisorSmith told SC Media this counter intuitive result is due to the fact that while claims rose 20 percent in 2018 from 2017, the last year from which data is available, the severity of loss on each claim declined by about 11 percent negating the need for a massive surge in premium prices.
“Also, the ransomware attacks that have been in the news a lot recently are often subject to sublimits, which limits the insurance company's losses. For example, on a $1,000,000 policy, the ransomware sublimit might be as low as $25,000. Insurance companies are getting better at underwriting cyber risk as they gain more experience in the sector, and companies are also strengthening their cyber defenses to counter the rise in cyberattacks,” said Adrian Mak, CEO of AdvisorSmith.
The five percent increase bumped up the average annual premium to $1,501 for a business facing moderate risks with liability limits of $1 million, a $10,000 deductible, and $1 million in company revenue. A recent IBM study found the average cost of responding to a data breach for U.S. firm is $8 million, although the total does depend greatly upon the size of the company.
The five percent jump was described as “relatively stable” for an insurance market, by Mak.
Despite these rather reasonable prices, Mak said only about 20 percent of businesses have invested in cyber insurance.
Other factors also come in to play when determining premium levels, this includes the customer’s ability to protect itself from cyberattacks, the physical location of the facilities being covered along with more basic insurance factors such as total coverage selected and deductibles.
To make sure a potential customer is taking the proper precautions cyber insurance carriers are vetting customers based on their cybersecurity posture and charging those with poor cybersecurity practices higher premiums, said Mak. This assessment could include checking on the number of sensitive records stored by an organization, as well as the number of financial or credit card transactions processed by the company. Usually, the higher the number of sensitive records or financial transactions stored, the higher your company’s insurance premiums will be, said Mak.
“Some of the security measures that your company could take include hardware and software network security, data loss prevention procedures, multi-factor authentication, and encryption. Insurance companies also are interested in whether your company patches software vulnerabilities on a regular basis, and also whether your company uses third-party firms for security assessments and audits,” the AdvisorSmith report stated.
Cyber insurance is also playing a role in the decision process on whether or not to pay a ransom. The last several months have seen several companies and municipalities opt to pay the ransom citing the fact that they were carrying cyber insurance and thus would only have to pay the deductible. Most recently the Rockville Center (NY) School District opted to pay an $88,000 ransom, joining Lake City, Fla. and Jackson County, Ga. among others that have caved in to their attacker’s demands.