Cyber insurance offers financial protection and support in the event of a cyber attack, data breach, or other cyber-related incidents. Ironically, the security that insurance brings to policyholders stands in contrast to the shifting, dynamic state of the cyber insurance market in general.
The cyber insurance market is currently experiencing a state of flux due to several factors and ongoing developments in the risk landscape.
Key Contributing Factors to the Dynamic State of Cyber Insurance
Changing Attack Vectors
The continually evolving and expanding cyber threat landscape presents significant challenges to insurers. Cybercriminals are developing more sophisticated tactics, leveraging advanced techniques and technologies. As a result, insurers must continually assess and adjust their risk models, coverage offerings, and pricing structures to effectively address emerging threats.
Changing Regulatory Environment
The regulatory landscape surrounding cybersecurity and data privacy is constantly evolving. New laws and regulations are being introduced globally, imposing stricter obligations on organizations to protect personal data and report breaches. These regulatory changes impact the cyber insurance coverage requirements and expectations, leading to adjustments in policy terms, conditions, and pricing.
Shifting Risk Profiles
As businesses adopt new technologies and digital transformation initiatives, their risk profiles evolve. Emerging technologies, such as cloud computing, the Internet of Things (IoT), and artificial intelligence, introduce new vulnerabilities and potential cyber risks. Insurers must continually assess these changing risk profiles to ensure appropriate coverage and pricing, as well as stay ahead of emerging threats.
Lack of Historical Data
The relatively short history of the cyber insurance market makes it challenging for insurers to rely on extensive historical data to accurately assess risks and set premiums. The limited data on cyber incidents and claims make it difficult to accurately quantify and predict losses, leading to uncertainty in pricing and coverage terms.
What Does Cyber Insurance Cover?
Cyber insurance provides coverage for a range of cyber risks and their associated costs. Here are some key areas typically covered by cyber insurance policies:
Data Breach Expenses: Costs related to managing and recovering from a data breach, including forensic investigations, notifying affected individuals, credit monitoring, public relations, and legal fees.
Cyber Liability Insurance Coverage: Coverage for legal costs, settlements, and judgments associated with third-party claims arising from a cyber incident, such as privacy violations, defamation, or intellectual property infringement.
Business Interruption: Reimbursement for income loss and extra expenses incurred due to a cyber incident that disrupts normal business operations.
Extortion and Ransomware: Coverage for ransom payments or expenses related to responding to extortion attempts or ransomware attacks.
Digital Asset Restoration: Coverage for costs associated with restoring, recovering, or replacing digital assets, including data and computer systems.
What Isn’t Covered by Cyber Insurance?
While cyber insurance provides valuable protection, it’s essential to understand its limitations. Here are some common exclusions or limitations you might encounter:
Known Vulnerabilities: Cyber insurance typically does not cover losses resulting from known vulnerabilities or security weaknesses that were not addressed appropriately.
Intentional Acts: Damages resulting from intentional or fraudulent acts by the insured party are generally excluded.
Prior Acts: Some policies may exclude coverage for cyber incidents that occurred before the policy’s effective date.
Terrorism and State-Backed Cyber Attacks: Cyber insurance may exclude damages arising from acts of war, terrorism, or similar events.
Non-Cyber Events: Damage caused by non-cyber events, such as physical theft or natural disasters, is generally not covered by cyber insurance.
Why Insurers Want to Exclude State-Backed Cyber Attacks from Cyber Insurance Policies
In August 2022, the renowned insurance marketplace Lloyd’s of London made a significant announcement that could impact the cyber insurance landscape. Starting in 2023, Lloyd’s will introduce cyber insurance exclusions to coverage for what it deems as “catastrophic” state-backed cyber attacks. While Lloyd’s remains supportive of offering cyberattack cover, it acknowledges that cyber-related risks are continuously evolving. As a result, the company is taking precautionary measures by requiring its insurer groups to include suitable clauses that exclude liability for losses arising from state-backed cyber attacks, following specific requirements.
The decision stems from a growing recognition within the insurance industry that state-backed cyber attacks pose unique and formidable challenges to the insurance market. In their bulletin, Lloyd’s highlights the need for underwriters to consider the possibility of state-backed attacks occurring outside of traditional wartime scenarios involving physical force. The extensive damage these attacks can inflict and their potential to spread create a systemic risk similar to insurers, making it essential to address these risks effectively.
Complexities of State-Backed Cyber Attacks
Unlike conventional cyber threats originating from individual hackers or criminal organizations, state-sponsored attacks operate on a completely different trajectory and with different motivations. They are often carried out by nation-states seeking to further their political, economic, or military interests. These attackers can have vast resources, sophisticated techniques, and access to advanced cyber tools, making them capable of causing substantial and widespread damage.
The ramifications of state-backed attacks can extend beyond individual companies and industries, potentially affecting critical infrastructure, governmental institutions, and even entire nations. Such attacks can disrupt financial systems, disable essential services, and compromise sensitive data on an unprecedented scale, resulting in substantial financial losses.
Ensuring Appropriate Standards
To safeguard their customers and maintain a stable cyber insurance market, Lloyd’s emphasizes the importance of ensuring that all syndicates writing cyber attack policies do so at an appropriate standard. Robust wordings in insurance policies are essential to clearly outline the scope of coverage and explicitly define exclusions. Given the intricate nature of state-backed cyber attacks and their potential legal implications, Lloyd’s calls for thorough legal review of policy wordings to ensure they are sufficiently robust and able to withstand the complexities that might arise.
The Case of the Oreo Cookie and State-Backed Cyber Attacks
On a similar note, A settlement was reached last November in a $100,000 lawsuit between Zurich, a global insurance giant, and Mondelēz International, the global food brand behind Oreo cookies and Ritz crackers. The lawsuit, which revolved around Mondelez’s claim to Zurich to cover losses they suffered from the notorious NotPetya attacks of 2018, may reshape the cyber insurance market.
The lawsuit was hinged on Zurich’s denial of claims from Mondelez after the NotPetya malware locked up 1,700 of its servers and a staggering 24,000 laptops, bringing the corporation to a halting grind with more than $100 million in damages. The 2017 NotPetya attacks were linked to Russia-affiliated state threat actors, and insurance giant Zurich denied Mondelez’s claim, citing an exclusion in their contract for “acts of war”.
It’s clear that what Mondelez and many other corporations were victims of was not an act of war, but “collateral damage” in a much larger geopolitical war that they were not affiliated with, said James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies. “We’re going to need to rethink what act of war means in cyberspace when it comes to insurance,” said Lewis. “The current definitions come out of the 19th century when we had pirates, navies, and privateers.”
How the State-Backed Exclusion May Impact Cyber Insurance
To protect themselves from huge payouts, some insurers indicated that they will be excluding coverage for state-backed attacks in policies starting at some point in 2023. The problem with this approach is that it can have devastating effects on the cyber insurance industry as companies won’t see the benefits in insurance premiums given the sheer volume of state-sponsored cyber activity.
Caroline Thompson, head of underwriting at Cowbell Cyber, a cyber insurance provider for small and midsize businesses (SMBs), notes that ambiguity in the policy wording regarding “acts of war” cleared the path to the Mondelez settlement. This, she explained, should serve as a warning of caution to underwriters and insurance providers. If there’s one thing everyone agrees on in the cyber insurance market, it’s that transparency and clarity are key to a successful policy.
Who Needs Cyber Insurance?
In today’s interconnected world, virtually every business that uses digital systems and handles sensitive data can benefit from cyber insurance. Here are a few examples of industries that typically prioritize cyber insurance:
Healthcare: Medical practices, hospitals, and healthcare providers that store and transmit protected health information (PHI).
Financial Services: Banks, credit unions, insurers, and other financial institutions that handle sensitive financial data.
Retail and E-commerce: Online retailers and businesses that process customer payment information.
Professional Services: Law firms, accounting firms, and consulting companies that handle client data.
Technology Companies: Software developers, IT service providers, and tech startups that manage proprietary information or provide technology services.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
How Does Cyber Insurance Work?
When a cyber incident occurs, the insured party typically notifies the insurance provider and begins the claims process. Here are the general steps involved in how cyber insurance works:
Incident Reporting: Promptly report the cyber incident to the insurance provider as specified in the policy.
Investigation and Response: Work with the insurance provider and their approved experts to conduct investigations, mitigate damages, and implement necessary response measures.
Claims Evaluation: The insurance provider evaluates the claim, including assessing coverage, determining liability, and estimating the damages.
Claims Settlement: If the claim is approved, the insurance provider pays out the agreed-upon amount, subject to cyber insurance coverage limits, deductibles, and any applicable sub-limits.
Continuous Risk Management: Throughout the policy term, it is essential to implement and maintain robust cybersecurity measures and adhere to any risk management requirements outlined by the insurance provider.
What Does Cyber Insurance Cost?
The cost of cyber insurance varies depending on several factors, including the size and industry of the business, coverage limits, risk profile, and policy features. Small to medium-sized businesses can expect annual premiums ranging from a few thousand to tens of thousands of dollars. Larger organizations with higher risk exposure may see premiums in the hundreds of thousands or even millions of dollars.
Other factors influencing the cost include policy deductibles, the scope of coverage, the insurer’s underwriting process, and the organization’s cybersecurity measures and risk management practices.
Why Are the Costs of Cyber Insurance Policies Rising?
Cyber insurance prices have been on the rise due to several factors contributing to the increased costs and risks associated with cyber incidents. Here are some key reasons behind the upward trend in cyber insurance prices:
Escalating Cyber Threats
The frequency and severity of cyberattacks have been steadily increasing. Cybercriminals are becoming more sophisticated, utilizing advanced techniques and tools, resulting in larger and more damaging breaches. The rise in cyber threats translates to higher potential losses for insurers, leading to increased premiums to cover these elevated risks.
Evolving Regulatory Landscape
Governments worldwide are implementing stricter data protection and privacy regulations. Compliance with these regulations often involves costly measures such as notification requirements, legal expenses, and fines for non-compliance. Insurers account for these potential costs when pricing cyber insurance policies.
Expanding Scope of Coverage
Cyber insurance policies have broadened their coverage scope to address emerging risks. As new cyber threats emerge, such as ransomware attacks and social engineering fraud, insurers need to include these risks in their coverage, leading to higher premiums to accommodate the expanded protection.
Increasing Costs of Remediation
The costs associated with responding to and recovering from a cyber incident are rising. This includes expenses for forensic investigations, breach notification, credit monitoring, public relations, legal fees, and system restoration. Insurers need to factor in these increased costs when determining premiums.
High-Profile Cyber Incidents
High-profile cyberattacks and data breaches have drawn significant media attention, highlighting the potential financial and reputational impact of such incidents. These incidents increase awareness and concern among businesses, leading to greater demand for cyber security insurance coverage, which in turn influences pricing.
Capacity and Competition
The overall capacity of insurers to underwrite cyber insurance policies is limited. As demand increases, the limited capacity combined with the growing number of businesses seeking coverage can drive prices upward due to the supply-demand dynamics in the market.
How To Assess Your Cyber Insurance Needs
While comprehensive, standalone cyber policies may not have been deemed essential for small businesses a few years ago, the landscape has since shifted dramatically. Attackers are now increasingly targeting smaller enterprises, making it imperative for them to have adequate cyber insurance coverage.
Remember: Sound Cyber Hygiene is Your First Line of Defense.
Before seeking cyber insurance, organizations should focus on cultivating sound cyber hygiene practices. This includes implementing a robust backup strategy, employing multi-factor authentication at critical access points, and maintaining strong patch management processes. Such measures are foundational in reducing vulnerabilities and minimizing the impact of potential cyber incidents.
Leveraging Centraleyes for Enhanced Cyber Insurance Protection
Cyber resilience starts with an intuitive, in-depth risk assessment. Centraleyes risk assessment and quantification tools are designed to determine the likelihood and the financial impact of cyber risks and to identify security gaps in your systems. Our powerful platform generates the actionable insights you need to understand what your cyber risk level means to your business.
As insurance carriers become increasingly selective about which businesses they are willing to underwrite, insurers have raised their coverage threshold to strict standards of minimum cyber hygiene. Centraleyes’ platform identifies vulnerabilities in your system, facilitates risk mitigation, and ultimately gets you to a state of cyber-readiness so you can approach the insurance application process empowered with our expertise and a strong cyber posture.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days