Why Cyber Liability Insurance Coverage Just Got Harder to Get

By: | Category: Cloud Computing, IT / Infrastructure

Cyber liability insurance is gaining in popularity as a tool to help companies hedge the financial losses caused by the rising threat of cyber incidents. However, recent changes are making cyber coverage harder to buy. What is the state of cyber liability insurance? Do you need it? Can you afford it? Can you even get it?

A brief history of cyber liability insurance

Cyber liability insurance began gaining popularity in response to the dot-com bubble in the 1990s. Early policies only covered damage to third parties, offering no protection to the insured. However, coverage quickly evolved to provide first party protection, providing a layer of protection for companies against unauthorized system access, computer viruses, and data loss.

Since then, the market has grown steadily and changed radically. The scope and breadth of cyber risks facing businesses today could hardly have been anticipated 25 years ago.

Demand, losses, and premiums are all on the rise

The demand for cyber insurance coverage is skyrocketing. At the same time, insurance providers’ losses are growing. High demand in combination with high payouts lead to increased premiums. Businesses report premium hikes of 50% and even 100% year over year.

Insurance payouts are rising in large part because of the increase in ransomware attacks. In the past, the biggest cyber threats were data breaches. Without minimizing the devastating consequences of a data breach, losses associated with a breach tend to be spread out over time, rather than as a single, sometimes multi-million dollar, ransomware payout.

Insurance companies are well equipped to handle risk. Their actuaries are experts in forecasting longer-term payouts. But increasingly, the losses are single events where the full loss coverage is reached in a single day — a model insurance companies do not embrace.

New mandates

Naturally, insurance companies want to mitigate risks by recommending — or even mandating — that their insured take the proper precautions to protect against lost. The newest and most significant of those mandates is the requirement for Multi-Factor Authentication (MFA).

In early 2020, President Biden signed an Executive Order intended to deter cybercrime. The Order mandated all federal agencies use Multi-Factor Authentication. Insurance companies rapidly took the opportunity to require their insureds have MFA in place before providing a quote — or a renewal — for most accounts.

Consider your risk threshold

Every company will need to analyze their own risk tolerance and make the decision whether to purchase cyber liability insurance accordingly.

Premiums are expensive, ranging from $1,500 annually for a small company to tens of thousands for larger companies. As you’d expect, premiums vary based on a number of factors, so be certain you understand what you’re buying and shop coverage carefully.

Before you decide against purchasing coverage, it’s worth keeping in mind that the potential cost of hacks may be larger than you think. The Hiscox Cyber Readiness Report found that the average cost of a cyber incident for businesses with 50 to 249 employees in 2019 was $184,000.

Part of the security armor

Cyber insurance does not replace the need for cybersecurity. Insurance cannot protect your company from phishing attempts, malware, or insider threats, it can only help minimize the financial damage caused by incidents like these. While we believe that insurance is important, it is of secondary importance to a robust security infrastructure. Think of this way — just because you have homeowners insurance doesn’t mean you shouldn’t lock the front door.

A robust security infrastructure is a mandate for businesses, and we believe that requiring MFA as a condition of cyber coverage is a smart move. We recommend MFA for our clients regardless of their insurance status. MFA is an integral part of that security infrastructure, as is email security and 24/7 network monitoring, and increasingly — a Zero Trust Policy, something we’ll cover in an upcoming post. Questions about MFA and your company’s security strategy? Contact one of the security specialists at Net at Work.