All Things Cyber Insurance
How much does cyber insurance cost? Why does it cost so much? How can I save myself some money? All these questions and not enough answers! No worries, let's get started and quench our cyber insurance queries.
In a study conducted by AdvisorSmith using quote estimates and rates from over 43 insurance companies, they concluded the price ranged from $650 to $2,357 annually with the average cost of cyber insurance being $1,485 per year. These premiums were based upon companies with moderate risks - with liability limits of $1,000,000, with $10,000 in deductibles and $1,000,000 in company revenue.
However, naturally, the price of cyber insurance ranges quite significant and is dependent on many key aspects. Factors that dictate your everyday case-by-case quote are elements such as:
Industry: Depending on the industry your business falls in, you may fall into low, medium, or high-risk tiers. Different industries belong to different tiers. These tiers factor in the amount of sensitive data that your business handles.
Data Sensitivity: Different companies handle different amounts of data. For example, you may consider small businesses as low-risk companies since they have a smaller customer base.
Company Size: Businesses with more employees need more protection because larger companies are at greater risk of phishing or other cyber attacks.
Annual Revenue: If you have sizeable yearly revenue, your business is at greater risk of cybercriminal activity. Insurers will consider the amount of money your business generates when adjusting the cost of your cyber liability insurance policy.
So naturally, a mining organisation with very little internet-facing infrastructure would have a far cheaper premium than one compared to a cyber-orientated organisation. “The infrastructure, and conversely the attack surface, largely drives the risk”.
Additionally, every insurance company offers different levels of cover with higher tiers reaching deeper into your pocket. (More details found here)
Another factor determining the overall cost for cyber insurance is deductibles, whilst you are free to choose the range of costs you’re willing to cover, this will affect the premium, with higher deductibles being more favoured by insurers.
When all is said and done, a cyber insurance premium is vastly dependent on its environment.
What can we do in the long run and as a systematic solution? Whilst we can’t directly change an insurer's premium, fortunately, there is a way to counter the rising price of cyber insurance as a collective effort. Ransomware is the largest concern to insurers and with it accounting for approximately 75% of all cyber insurance claims, insurers found themselves needing to mitigate losses and moving forward decide to bump up premiums. In laymen's terms, not falling prey to ransomware will lower the overall market price for cyber insurance. How can we do this? Namely by implementing security best practices, specifically those against ransomware.
Below is a comparison between cyber insurance premium change and ransomware payment increases to better demonstrate how they come hand-in-hand. Interestingly enough, and not so coincidentally, they align.
Unfortunately, the cost of cyber insurance has risen rather significantly in the last few years. Having seen an 11.1% increase in premium over the past two years we are left with why?
As mentioned, ransomware is the biggest villain here and is, for the most part, solely the reason for the dramatic increase in price over the past years. Having reached 304.7 million attack attempts in the first half of 2021 (100,000 more attacks than all of 2020 contained) cyber insurance companies found themselves needing to mitigate losses and sustain a profit by doing either of two things.
Firstly simply increasing the price of cover, by charging more the insurers are able to sustain a more beneficial business standing without the fear of loss. Alternatively and possibly in addition to an increase of price, another method of loss mitigation is selectively choosing who they cover, with high-risk companies, those being more susceptible to attacks, being less likely to receive the ideal treatment if any at all.
In addition to all these aspects, similar to most insurance, cyber insurance premium increases after making a claim.
“As with most types of insurance, premiums are likely to rise after making a claim. The amount your premium rises depends on market conditions and the specific terms of the policy.”
Here's a little insight on primary causes of ransomware infections. A majority on which can be mitigated through following security best practises and cyber awareness, with the top three all being a direct result of lack of cyber security training.
Now let us get onto best practices to undertake to reduce the risk of falling victim to attacks - specifically those relating to ransomware.
Firstly and most importantly, shine some light on your cyber security risks so you can operate with intelligence. As Peter Drucker supposedly once said, “If you can’t measure it, you can't manage it”. Carrying out a cyber risk assessment allows you to identify the key risks, gaps and improvements which offer the best ROI.
If resources won’t allow for an external consultant to be brought in to carry out a risk assessment, here are some tips we recommend to all businesses:
> Know what physical and digital assets you have. If you don’t know what you have, you can’t protect it.
> Regularly patch those systems with software updates. Ideally, set them to update automatically. This reduces the time attackers have to exploit software bugs, which is often how attackers install ransomware within organisations. This advice also applies to software and applications such as your internet browser and work platforms such as Office 365 etc.
> Implement secure configurations on employee devices. Aside from keeping assets up to date, they should be appropriately locked down to reduce the chance of ransomware and other attacks. For example, by ensuring employees use standard accounts, and not privileged or administrative ones. If ransomware can get onto a device that is logged in by an administrator, it can delete backups and spread to other devices more effectively. Another secure practice is to remove any software or applications that are not being used. Again, this reduces the chance a ransomware attack can take place.
> Take and test data backups. Most organisations take backups, but they rarely test them. The testing process needs to include a measurement of recovery time. If backups are done over the internet, and are big (hundreds of GB or even TB) they could take days to recover. Will it be fast enough?
> Train your employees on cyber security threats and response procedures. Ensure they know what to do when they receive a phishing email or notice something suspicious.
Ultimately, cyber insurance is in high demand, and with a lack of knowledge in best security practices seen within a significant percentage of organisations, it leads to a large portion of ransomware mitigation attack claims - costing everyone too many resources and indefinitely bumping the price of cyber insurance. Instead of prioritising one over the other, have a balanced strategy that considers proactive security measures, responsive plans and if appropriate, insurance policies.
“The benefit of the coverage outweighs the increase in the premium, and companies can avoid that worst instances by prioritizing cybersecurity generally. A cyber insurance policy is an important piece of the puzzle, but comprehensive protections are the only way to insulate an organization from the worst of todays and tomorrows threats.”
Prevention is cheaper than the cure.