Almost exactly a year ago, cybersecurity professionals were locked in a heated debate about insurance. While some were keen to point out that the future of the industry would need to include some form of insurance market, others argued that cyber insurance would never be worth the premiums, especially given the inherently volatile nature of cybersecurity.
The pandemic has changed all of that. According to the FBI, cyberattacks have increased by almost 400% since the start of the pandemic, and 68% of companies have reported that they’ve seen increases in fraud. In addition to this rising threat level, we’ve also seen attacks on many companies that had previously been regarded as low-risk, especially mid-sized enterprises.
This has led, unsurprisingly, to a booming market in cyber insurance. In this article, we’ll take a look at how the market has changed in the last 12 months and where it will go from here.
The current state of the cyber insurance industry is summed up in two recent reports: one by KPMG and another by Allianz.
Both reports make for sobering reading. KPMG discovered that 74% of businesses do not have any sort of cyber liability insurance. Of those that do have it, only 48% believed their coverage would cover the actual cost of a breach. At the same time, Allianz's report indicates that the level of risk faced by the average company has increased dramatically in the last year.
This second report, entitled Managing The Impact Of Increasing Interconnectivity - Trends in Cyber Risk, analyzes 1,736 cyber-related insurance claims worth EUR 660 million ($US 770 million) involving AGCS and other insurers from 2015 to 2020. It found a 70%+ increase in the average cost of cybercrime to an organization over five years (now up to $13 million) and a 60%+ increase in the average number of security breaches. Most telling, the number of cyber insurance claims are also spiking – there were 809 such claims in 2019, but in 2020, there were already 770 claims in the first three quarters.
Look a little deeper into these numbers, and you’ll also see that the “typical” target of malicious hackers – if such a thing can be said to exist – is changing. Just a few years ago, most cyber criminals were focused on breaching the defenses of large corporations who could afford to pay large ransoms for the return of their data. This led to an arms race between enterprises and (sometimes state-sponsored) criminals, with large corporations rapidly expanding their cybersecurity infrastructure.
For now, it seems that this has worked, but that’s bad news for smaller companies. With large companies putting in place sophisticated cybersecurity systems, malicious hackers have turned their attention to smaller, less well-protected companies. As Forbes recently reported, this means that mid-sized companies are under a greatly increased threat at a time when many lack the necessary security resources and expertise.
These changing tactics can be seen at work in a few different ways. Threats like the ever-popular ransomware, which can be particularly dangerous for mid-size companies, are on the rise. Likewise, the Covid-inspired work from home phenomenon has made the sometimes cobbled together support infrastructures into high-risk targets.
While the use of some defensive tools has risen to prominence in an attempt to stay ahead of attacks, the reality is that all the tools in the world don’t help much when employees don’t know the first thing about securing their home work environment against cybercriminals, leaving company IT teams to spend every day scrambling to put out a never-ending procession of security emergencies.
The boom in cyber insurance
Unsurprisingly, the transformations just mentioned have led to a boom market for cyber insurance providers. An increased level of threat naturally drives investment in the industry, of course, but the market has also benefited from the rise in attacks against mid-sized firms. These companies are more aware than ever of the dangers of cyber crime, particularly the financial impact this can have. With resources at a premium, recruiting and hiring new staff for cybersecurity departments is often a non-starter.
All of this has led to an increasing number of organizations to hedge the risk of cybercrime in a post-Covid world by turning to insurance. As a result, the global cyber insurance market is currently estimated to be worth $7 billion, according to Munich RE, but it is growing rapidly.
That’s great news for insurance companies, of course, but it may be less so for companies looking to protect themselves from malicious hackers. Subcontracting cybersecurity is a natural way for many small- and mid-sized companies to ensure protection, but companies of this type should also be aware that cyber insurance is not a panacea when it comes to protection against criminals.
This is because the market is still relatively young, and policies have yet to become standardized enough to be easily understood by those outside the cybersecurity industry.
There are concerns raised by cybersecurity engineers about what is covered in these policies, and what is not, including the fact that the most common cause of cyber breaches – employee error – appears to be explicitly excluded as a basis for a claim in many policies. Similarly, it’s not apparent that a one-time payout from an insurance policy will be sufficient for companies to defray the cost of a cyber incident because the impact of losing customer data can last for years and is hard to calculate.
The bottom line
This said, cyber insurance can be an extremely effective way for small companies to offset the risk of the pandemic, even if it can’t be mitigated completely. The need to have employees working from home, at least in the short to medium term, is not likely to change. As long as both insured and insurer are able to agree on a reasonable threat profile, as well as explicitly agree on what level of coverage is required, there is no reason to avoid taking out this kind of protection.
And it may just be, looking to the immediate future, that the pandemic will turn out to have been a positive period for the cyber insurance industry; as demand increases, this will drive competition in a market that, until quite recently, was regarded with skepticism from many in the technology industry.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.