Lloyd’s of London, the world’s oldest insurance market, announced earlier this year that it will no longer cover losses from certain state-sponsored cyberattacks. Let that sink in for a minute: The organization known for covering such high-risk endeavors as space shuttle flights and the Titanic’s maiden voyage now considers some elements of cybersecurity a bit too dodgy for its taste.
The decision reflects a growing trend in the cyber insurance market. Following years of increasingly sophisticated and expensive attacks and breaches, insurers are attempting to limit their exposure by increasing premiums, imposing new restrictions on coverage or even abandoning the market altogether.
In a recent Veeam survey of 1,200 IT leaders, 21 percent reported that ransomware is now specifically excluded from their policies. Additionally, 74 percent said their insurance rates increased when they applied for a policy renewal, while 43 percent saw increased deductibles and 10 percent saw reduced coverage benefits.
Insurers Seeking Relief
Rapid increases in cybercrime are driving these changes. As cyber threats have become bigger and more frequent, so too have the claims made by policyholders. Fitch Ratings, a provider of research and analysis for global financial markets, reports that claims rose by about 100 percent and payments by 200 percent in each of the past three years. The surge has led insurers to impose stricter terms and conditions to avoid being inundated by large payouts.
The relative newness of cyber insurance markets is another contributing factor. Unlike traditional insurance types with well-established underwriting criteria and actuarial models, cyber insurance markets lack the extensive historical data and standardized evaluation methods necessary to assess and price risk. Without standardized risk assessment methods, insurers may unintentionally write more high-risk policies than intended, resulting in an unhealthy concentration of risk that could threaten their financial stability in the event of a large-scale cyberattack.
Expecting Companies to Do More
Finally, there’s a growing sense in the industry that businesses aren’t investing enough in risk management strategies and have become too reliant on insurance for protection. For example, the Veeam study found that 77 percent of ransomware victims relied on their insurance provider to pay ransoms. To discourage payments and encourage stronger protections, insurers now commonly require those seeking coverage to demonstrate they have implemented measures such as multifactor authentication, end-to-end encryption, security awareness training and strong access controls.
Middle-market companies are particularly impacted by these changes. Cyber insurance can provide an important safety net for midsized companies that lack the in-house security resources of larger enterprises. However, policy and coverage changes are creating more holes in that net.
More than two-thirds of middle-market firms now carry cyber insurance, according to a new study from the U.S. Chamber of Commerce and RSM, a consulting firm focused on the middle market. However, the study also reflects significant reductions in coverage for data theft and extortion, including ransomware. As a result of changes in policy terms and coverages, more than a third of middle market executives say they aren’t sure what their policies now cover.
Coverage Still Essential
Despite uncertainties in the industry, cyber insurance remains an important investment for most organizations. With the average ransomware payment now exceeding $1.5 million, even limited coverage provides a hedge against financial catastrophe. However, when shopping for policies, organizations must do their due diligence to ensure they have a clear understanding of the insurer’s security requirements and coverage limitations.
The cybersecurity team at Technologent can help you navigate the challenging process. In addition to conducting assessments to identify any gaps in your security posture, we can help you evaluate policies and implement any measures necessary to meet insurer requirements. Contact us to set up a confidential consultation.
October 16, 2023