While the cybersecurity risk insurance market has been around for more than 20 years, the rapidly changing nature of attacks and the rise in the ransomware epidemic has markedly changed the nature of cyber insurance in recent years.
It’s more challenging for organizations to get cyber insurance, and when they do manage to get insured the premiums are steep. It also turns out that not all policies cover ransomware, the leading cause of cyber insurance claims.
Consider this: The demand for cyber insurance has risen, with more insurance clients opting for cyber coverage—from 26% in 2016 to 47% in 2020. However, the cost of these polices in the U.S. have surged by 50%.
Still, the benefits of effective cyber insurance policies are many: financial coverage in the event of a cyber incident, commercial necessity for doing business with many organizations, operational support from experts in the event of an incident, and peace of mind for the business, it’s customers, employees, partners, and investors.
Sophos recently published the Sophos Guide to Cyber Insurance. The guide emphasizes that investing in robust cyber defenses can reduce an organization's cyber risk, thereby improving their ability to get an effective and more affordable insurance policy, and even enable high limits on their policy. Getting the right cyber policy for your organization is crucial. The guide highlights that roughly one-in-ten organizations with cyber coverage were not insured for ransomware, leaving them alone with the high costs and challenges associated with recovering from these attacks.
While cyber insurance policies are increasingly expensive and harder to come by because of the rising cost of and complexity of attacks, enterprises can still find the right cyber insurance for them. The guide explains that it’s essential that companies do the following to succeed:
Understand the basics: Cyber insurance, also known as cyber risk insurance and cyber liability insurance, protects enterprises from the financial impact of cybercrime. It covers costs in the event of a cyber incident, provides immediate access to experts, and gives confidence to stakeholders that the enterprise is prepared for a cyber incident.
Assess coverage needs: Enterprises should choose a policy that enables them to recover successfully from a cyberattack while keeping premiums affordable. The average cost to recover from a ransomware attack in 2023 was $1.82 million, so coverage should reflect potential recovery costs.
Evaluate policy terms: Policies vary, and not all cover ransomware, the leading cause of cyber insurance claims. Enterprises should ensure their policy covers the types of cyber threats they are most likely to face.
Invest in cybersecurity: The level of cybersecurity an enterprise has can affect its insurance position. By investing in strong cyber defenses, enterprises can reduce their cyber risk, which can improve their insurability and potentially even reduce premiums.
Consider the market conditions: The cyber insurance market has hardened, meaning it has become more difficult to secure coverage. However, enterprises with strong cybersecurity measures in place are more likely to secure coverage.
Work with insurance panels: Cyber insurance carriers often have pre-approved suppliers, or 'panels', that they work with in the event of an incident. Enterprises can request to work with their preferred suppliers, but early communication with the insurance provider is crucial.
Review the history of payouts: Enterprises should consider the history of payouts from the insurance provider. In 2022, 98% of respondents insured for and hit by ransomware said the insurance provider covered costs resulting from the attack.
Implement the required cyber controls: Insurers often look for certain cyber controls, such as multi-factor authentication and Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) tools. Having these controls in place can improve an enterprise's chances of securing coverage.
By considering these factors, enterprises can find a cyber insurance policy that fits their needs and provides adequate protection against potential cyber threats. Despite these challenges, the guide assures that cyber insurance policies invariably deliver if a cyberattack occurs.