The 2024 Cyber Insurance Market

The first thing to bear in mind is that regulatory agencies never sleep, because they operate under the tenet of ‘Parkinson’s Law’, wherein the task expands to fill the time allotted for its completion. In effect, they are always looking for the next regulation to impose. We can expect changes in Cyber Insurance regulations and qualifications this year.

Regulatory compliance and standards are becoming more important in the cyber insurance industry as we see a rapid escalation in the evolution of cyber threats. In 2024, businesses may be required to comply with specific new regulations and standards to qualify for cyber insurance coverage. These regulations and standards may include requirements for data protection, risk management, and incident response planning.

For many Small and Medium-size Businesses (SMBs), this insurance niche is still a fairly new and unfamiliar concept. Avoid the concept that you don’t need it because you pay for ‘excellent IT support.’  That is the wrong way to think about it. Over the years, the percentage of data breaches that are caused by employees fluctuates within a small but high range: between 85% to 90%. These are untrained users who fall for phishing scams and click on malicious links or attachments.

Examine the history of Cybersecurity Insurance. When it was introduced in the 1990s, it was initially formulated to provide coverage for large enterprises, covering things like data processing errors and online media. Things have gotten more serious by leaps and bounds today, and it affects every business.

Since its inception, policies for cyber liability coverage have changed. These days, cyber insurance policies usually cover the typical costs of a data breach, including remediating a malware infection or compromised account.

Policies vary, but generally, they will cover the costs involved with things like:

Recovering compromised data

Repairing computer systems

Notifying customers about a data breach

Providing personal identity monitoring

IT forensics to investigate the breach (separate from your own IT services provider)

Legal expenses

Ransomware payments

The sheer volume of data breaches and the associated costs continue to rise. According to NASDAQ, 2021 set a record for the most recorded data breaches in a year, and breaches have continued to snowball. In the first quarter of 2022, breaches were up 14% over the prior year. In 2023, breaches went up 17% from the previous year.

Are small businesses vulnerable to cyber attacks?

Small, medium or gigantic - every business is vulnerable, and they are all targets. Small businesses often have more to lose than larger enterprises, as they do not have the same ability to absorb losses. About 60% of small businesses close down within 6 months of a disastrous cyber incident.

Unfortunately, it is not uncommon for businesses with less than ten employees to forego the cost of ongoing IT Support. Often, a friend or relative with a little ‘know-how’ will pitch in when needed. This situation does not typically ensure the best security measures.

The Cyber Insurance industry is evolving in relation to the aspects of the threats and ensuing liabilities. The changes in this type of insurance are caused by the increase in online danger and rising costs of a breach. Businesses need to keep up with these trends to ensure they can stay protected.

Some of the cyber liability insurance trends you need to know about:

Demand is Increasing

IBM documented the global average cost of a data breach in 2022 was at $4.35 million. In the U.S, it’s more than double that, at $9.44 million. As the associated costs continue to balloon, so does the demand for cyber insurance.

Organizations of all types and sizes are realizing that cyber insurance is crucial to the continuing viability of their enterprise. It is every bit as important as their business liability insurance. Without that protection, they can easily go under in the case of a single data breach.

Look for more availability of Cybersecurity insurance with the increase in demand. This also means more policy options, which is good for those seeking coverage.

Increase of Premiums

This is a case of a causal chain: With the increase in cyber-attacks comes an increase in insurance payouts, which in turn leads to higher premiums, and insurance companies are increasing premiums to keep up.

These increases have been driven by the costs from lawsuits, ransomware payouts, and other remediations. Insurance carriers aren’t willing to lose money on any type of policy, let alone cyber policies, so it stands to reason that those policies will get more expensive – especially since they are more necessary now than ever.

Certain Coverages are Being Dropped

Some types of coverage are getting more difficult to find. For example, some insurance carriers are dropping coverage for ‘nation-state’ attacks - those that come from a government.

Many governments have ties to known private hacking groups – Russia is the most prolific, whereas China and the US maintain state agencies for this job. A ransomware attack that hits consumers and businesses can very well land in this category.

In 2021, 21% of nation-state attacks targeted consumers, and 79% targeted enterprises and those statistics have remained in the same range ever since. So, if you see that an insurance policy excludes these types of attacks, be very wary.

Alarmingly, another type of attack payout that is being dropped from some policies is Ransomware. This is a foreboding trend that any decent IT services provider should be aware of, because Ransomware has been on a dramatic rise since early 2020, corresponding with the onset of the COVID pandemic and the massive rise in the remote workforce.

Paying cyber-ransoms for clients is not cost-effective for insurance carriers. So many are excluding these payouts from policies, putting a heavier burden on organizations. They need to ensure their backup and recovery strategy is well planned – which they should ALREADY be doing.

It’s Becoming More Difficult to Qualify

Just because you want cyber insurance, does not mean you are going to qualify for it. Qualifications are becoming stiffer because insurance carriers are getting more risk-averse to cyber issues, especially with companies that have exhibited a poor history of cyber hygiene. Think of trying to get automobile insurance when you’ve received ten traffic citations and caused five collisions in the last two years. Good luck with that.

Some of the factors that insurance carriers look at include:

Network security

Use of things like multi-factor authentication

BYOD and device security policies

Advanced threat protection

Automated security processes

Backup and recovery strategy

Administrative access to systems

Anti-phishing tactics

Employee security training

It is becoming more prevalent that you will be required to fill out a long questionnaire when applying for cyber insurance. The proposed insurer will specifically want to know what network security measures are in place. It is highly recommended to have your IT services provider help you with this.

In reviewing the questionnaire, your IT support can identify security deficiencies and suggest enhancements (if they are worth their salt, robust defenses should already be in place). Just like other forms of insurance, if you take steps to reduce risk, it can often reduce your premiums.

Before you apply for cyber insurance, it pays to do this type of security review as it can save you time and money. It can also fortify your defenses against cyber-attacks.