The political and economic uncertainty throughout the world today is growing. The danger of malicious hacking is increasing as more and more parts of daily life simultaneously transition to the digital realm. An attack on another country or region by a state or an individual could have catastrophic results. Possible targets include utilities like power plants and communications networks. Businesses, the economy, and society might take a significant hit if a cyberattack were to affect the entire system.
The risk landscape in 2022
There has yet to be a systemic event of this nature thus. However, ransomware occurrences and cybersecurity worries among organizations and governments are at an all-time high, indicating a rapidly changing cyber risk scenario. More complex attacks are happening now.
With the advent of ransomware-as-a-service, it is easier for bad actors to get into the hacking game, and attackers frequently deploy "triple extortion" strategies. Because of their limited resources and defenses, small and medium-sized businesses (SMEs) are more vulnerable to cyberattacks. Meanwhile, healthcare and critical infrastructure supply chains are more at risk than ever due to the digitalization of these industries.
Every business owner and CISO should look at the conclusions of the Information Risk Insights Study (IRIS) 2022, written by Cyentia Institute and supported by CISA.
- The frequency of cyberattacks continues to rise. Over the past decade, there has been a 44% rise in the monthly average of publicly reported occurrences.
- In the business world, the highest number of events occur in the healthcare and financial industries.
- Large companies with over $100B annual revenue are 32 times more likely to experience several security incidents in a year than smaller enterprises.
- The relative impact of incidents on smaller firms is significantly more substantial. Eighty-nine percent of all cyber loss occurrences that exceeded 10% of yearly revenues occurred at small and medium-sized businesses.
- Despite the popular opinion of the opposite, financial losses due to cyber events have not increased over the past 20 years.
The state of cyber insurance in 2022
Businesses, insurance companies, and government agencies have ramped up risk management initiatives. Insurance companies and trade groups have collaborated to define the boundaries of existing policies in light of the hidden cyber threat. Insurance plays a crucial role by facilitating risk transfer and motivating risk minimization, bolstering monitoring, and facilitating reactions to cyberattacks.
However, cyber protection is still lacking, as premiums cover a small portion of cybercrime costs. Most businesses either have no cyber insurance at all or have inadequate coverage. According to Swiss Re Institute, 55% of organizations said they had cyber coverage, and only 20% said their policy limits exceeded the average ransomware demand.
Within the CISO community, topics about cyber insurance always spark heated debate. Obtaining insurance is not necessarily about mitigating or shifting risk. Some businesses have stated that the primary motivation for purchasing cyber insurance was to cover the cost of potential legal penalties in the event of a breach, suggesting that this was a legal decision rather than an IT or business-driven one.
In 2020, Zurich North America conducted a poll among its clients. It found that business disruption (72%), system failure (70%), money transfer fraud (66%), social engineering (66%), and reputational loss (60%) were the top six motivating factors for purchasing cyber insurance.
Since cyber-attacks are becoming more common, sophisticated, and costly, many businesses now consider cyber insurance a necessity. In 2020, loss ratios increased due to the proliferation of ransomware attacks. The market's reaction was for insurers to raise rates, tighten underwriting standards, and tighten regulations.
Cyber insurance premiums rose by an average of 28% in the first quarter of 2022 compared to the fourth quarter of 2021, as reported by the Council of Insurance Agents & Brokers (CIAB).
Reduced provider appetite for the risk and increasing demand for coverage were vital factors in the ongoing price hikes. The rising need for cyber coverage can be attributed partly to the rise in company recognition of the seriousness of the cyber threat to organizations of all sizes.
Growing cyber-attack frequency, sophistication, and financial toll contribute to rising cyber insurance premiums. Insurers have gotten pickier about who and what they cover in light of the growing uncertainty surrounding the nature of future dangers. Although organizations may find it harder to afford cyber coverage due to rising costs and other constraints, the number of businesses adopting this strategy is growing. Between 2016 and 2021, the share of first-time purchasers of cyber insurance increased from 26% to 50%. In other words, many businesses consider cyber insurance essential despite the high costs associated with such protection.
Insurers require better security
In addition to raising premiums, insurers are becoming more stringent in scrutinizing cyber claims to reduce losses. Insurers' requirements for their clients' security measures are increasing in complexity.
Cyber insurers are becoming pickier in their underwriting of businesses. Several insurance companies demand that prospective clients utilize at least multi-factor authentication to get a quote. Also, according to brokers and agents, carriers require more stringent password requirements, better oversight of third-party vendors, an incident response strategy, phishing education for staff, penetration testing, regular system backups, and endpoint detection.
However, it is getting more and more challenging for businesses to satisfy the baseline requirements for insurance. The poll found that 6% of ClubCISO members want cyber insurance but still need to qualify.
Insureds can save enough on premiums each year to more than cover the cost of installing the security measures necessary to reach the basic level of cyber hygiene. Therefore, the application and underwriting process can encourage a company to prioritize risk assessment, promoting the adoption of risk-based security solutions to cut down on premium costs. Having insurance coverage forces you to be more careful, which cuts down on your risk of misfortune.
A "societal obligation," as defined by the American Property Casualty Insurance Association, cyber resilience is becoming increasingly important. With no physical boundaries in cyberspace, businesses without adequate digital defenses leave themselves and the economy vulnerable. Policymakers have begun to advocate for more robust mandates after high-profile breaches, such as the one on Colonial Pipeline's IT systems.
Rules requiring firms to fulfill baseline cybersecurity standards, collaboration with the private sector, and more vigorous enforcement of new rules are all part of the United States' new strategy. Cyber insurance can reduce the need for mandates and increase fruitful cooperation between the private and public sectors if it provides financial incentives that align with market and public authority cyber deterrent objectives.