Cybersecurity insurance is still a pretty new concept for many SMBs. It was initially introduced in the 1990s to provide coverage for large enterprises. It covered things like data processing errors and online media.
Over the last 30 years cyber insurance has evolved. Today’s cyber insurance policies are more robust and cover the typical costs of a data breach including but not limited to:
- Recovering compromised data
- Restoring computer systems
- Mandatory notifications informing customers about a data breach
- Providing personal identity monitoring to your impacted clients
- Incident Response teams to minimize the impact of the breach
- Forensics teams and cybersecurity experts to investigate the breach
- Legal expenses
- Ransomware payments
Data breach occurrences and costs continue to rise. 2021 set a record for the most recorded data breaches on record. In quarter one of 2022 alone, breaches were up 14% over the prior year.
The unfortunate truth is that no one is safe. We have had many uncomfortable conversations with our clients acting as their managed IT support provider and their fractional CISO (as part of our Managed Security Services offerings) that always start with “we’re too small, no one is ever going to target us, so why spend the money on cybersecurity“, or some variation of that. These conversations always end with our client running the numbers and realizing they’re not comfortable with that level of risk. When I say the conversation is uncomfortable, I don’t mean for us; Ikigai One is comprised of seasoned experts in their respective fields including cybersecurity. These conversations are not new to us because we ask these questions every day- we always weigh the actualized risk for our clients and when we do the math they quickly realize that even small businesses find they are targets. SMBs often have substantially more to lose than larger enterprises due to the nature of economics at scale. If your business were to suffer a ransomware event that cost you an entire month of downtime do you have the liquid capital available to pay for the remediation, lost product, employee wages, rent, and all your other business expenses while having zero cashflow; comparatively a Fortune 500 enterprise would survive- their shareholders would be incredibly upset and the stock prices would fall, but they would live to profit another day. About 60% of small businesses close down within 6 months of a cyber incident.
The increase in online danger and rising costs of a breach have led to changes in this type of insurance. The cybersecurity insurance industry is ever evolving. Businesses must evolve too or be left behind.
The Top Cyber Liability Trends You Need To Know About:
Demand is Going Up
The average cost of a data breach is currently $4.35 million (global average). In the United States, it’s worse- more than double that, at $9.44 million. Rapidly inflating costs are causing high demand in the cyber insurance market.
Companies in all industries and verticals are realizing with horror that cyber insurance is critical. It’s as important as general liability insurance. Businesses that are forced to pay out of pocket for cyber incidents usually shutter their doors due to the extraneous costs. It can cost more to fix the ship than its worth. The current situation is lighting fires under businesses to get insured and quickly before rates continue to rise.
Premiums are Increasing
An increase in the amount and sophistication of cyberattacks across the board means more payouts from insurers which in turn means rate increases are imminent. In 2021, cyber insurance premiums rose by a staggering 74%.
The combined costs from ransomware payouts, data breaches, service disruptions, and lawsuits are resulting in skyrocketing premiums. Insurance carriers aren’t willing to lose money on cybersecurity policies thus, those policies are getting more expensive. Insurers know these policies are necessary- further exacerbating the situation. There’s really only one solution and it’s no what you’d expect:
Certain Coverages are Being Dropped
Finding certain types of coverage is becoming increasingly difficult, as some insurance carriers are excluding coverage for “nation-state” attacks, which are attacks that originate from a government. These attacks are particularly concerning because many governments have ties to known hacking groups, meaning a ransomware attack that targets consumers and businesses could be classified as a nation-state attack.
In 2021, 21% of nation-state attacks targeted consumers, while 79% targeted enterprises. Therefore, it is important to be cautious when reviewing an insurance policy that excludes coverage for these types of attacks. Since most large hacking groups have ties in some way to a foreign government the insurance company could invalidate any claims made for damaged caused by them.
Another type of coverage that is being dropped from some policies is ransomware. Between the first and second quarters of 2022, ransomware attacks increased by 24%.. As a result, insurance carriers are becoming less willing to pay ransoms on behalf of unsecured clients, and are excluding ransomware payouts from policies entirely. This puts a greater burden on organizations to ensure their backup and recovery strategies are well-planned and tested to protect against these types of attacks.
It’s Harder Than Ever to Qualify
Everyone want cybersecurity insurance, but that doesn’t mean they’ll qualify for it. The qualifications process for obtaining cyber insurance is becoming more conservative every quarter. Many insurance companies are taking a position of refusing coverage entirely for organizations they deem have poor cybersecurity posture. The questionnaires are getting longer and the requirements are getting higher.
Some of the factors that insurance carriers look at include:
- Network security
- Use of things like multi-factor authentication on all accounts
- BYOD and device security policies
- Advanced threat protection (EDR is now mandatory)
- Automated security processes
- Backup and recovery strategy (is now almost universally mandatory)
- Administrative access to systems (is now heavily scrutinized)
- Anti-phishing tactics
- Employee security training
You’ll often need to fill out a lengthy questionnaire when applying for insurance. This includes several questions about your cybersecurity situation. Your IT provider may be able to help explain certain things to you, but their assistance may be limited due to the legality and liability associated with the insurance industry- Look for a managed IT services provider with experience and connections with the insurance industry.
The amount of effort that is required to meet the qualifications for cyber insurance may seem daunting at first, but reviewing the questions provided by insurers can also serve as an opportunity to identify and implement security enhancements with the help of your IT partner. Similar to other forms of insurance, taking steps to reduce risk can often lower your premium costs.
Conducting a cybersecurity review before applying for cyber insurance can save time and money in the long run, while also strengthening your defenses against cyberattacks. It is an investment that is worth making. [Shameless Plug: Our awesome cybersecurity experts offer this to all of our managed clients for free, so please give us a call]
We Promise: There Is Hope!
Cybersecurity coverage and insurance applications can be complex. If you answer wrong on a question, it can mean paying hundreds or thousands more per year in premiums than you should.
If you’re considering cybersecurity insurance (and you should be), don’t go it alone. Schedule a FREE 45 minute consultation (valued at over $499) with some of our cybersecurity experts. We’ll get to know your business and its needs and create a custom plan to get you cyber insurance ready.
We work with leaders in the cyber insurance industry and because our expertise and processes are so heavily vetted and trusted Ikigai One is able to offer substantial discounts on cyber insurance through its partners as well as an expedited onboarding process for all managed clients in New Jersey, Maryland, Texas, and Washington DC.– This is not a promotion or offer, we legally can’t and don’t make money from this. We offer this service because we genuinely believe that cyber insurance is now a requirement for most businesses and we want to do everything in our power to help you get it!