Most cybersecurity professionals know that cyber breaches increase each year. So it’s no surprise that the cybersecurity insurance business also keeps growing briskly. According to data from Markets and Markets and Polaris Market Research, the cyber insurance market swelled to $11.9 billion worldwide in 2022, up from $10.1 billion the previous year, and is projected to grow to more than $29 billion by 2027.
This projected growth scenario is expensive, which is why many companies, especially smaller ones, still don’t have this insurance and may continue to hold back until they suffer a cyber breach. If nothing else, this usually brings them to the table at a qualified insurance company.
As the numbers plainly demonstrate, of course, plenty of organizations in North America – the single biggest market – have already taken this step. The lack of cyber protection these days can be nerve-wracking, notwithstanding the expense of purchasing it. Insurance broker Marsh says prices in the U.S. rose a whopping 28 percent year over year in the fourth quarter of 2022. As steep an increase as that was, it was less than it had been earlier last year, mostly because more companies implemented favorable cybersecurity controls.
Even so, most cyber insurance analysts believe prices will continue to rise as the corporate world continues to increasingly rely on information technology and digital devices, and ransomware and network intrusions keep escalating.
This raises the question of whether cybersecurity insurance is worth the money.
The answer: It is, at least for now.
It’s hard to argue that cybersecurity insurance isn’t generally better than no cyber insurance at all, despite the soaring price tags, because this insurance usually mitigates substantially the cost of a commonplace breach. And, in the case of small businesses, cyber insurance can prevent going out of business in the event of a breach. (Surveys show that more than half of small businesses victimized by a cyber breach go out of business within six months.)
In addition, companies in some cases can trim costs a bit by incorporating preventive measures beyond what some insurance companies now expect. They could, for instance, implement a so-called least privilege strategy in their IT systems so that select privileges are only granted for certain activities for a limited time, rather than broad, standing access, thereby mitigating insider threats. Companies could also pass on third-party coverage, which protects a company when a customer, vendor or partner sues them for allowing a data breach to occur.
At least some cyber insurance is pretty much essential in a digital-first world. Virtually every aspect of our lives and the corporate world is digitized, shifting cyber insurance from a luxury to a necessity. A Blackberry survey shows that the threat of a breach is so prevalent that 60 percent of businesses say they would reconsider entering a partnership with a supplier if the company didn’t have cyber insurance.
Cyber breaches tend to produce significant revenue loss. IT system downtime can lead to work disruptions and may cause potential customers to explore other options. There may also be a loss of intellectual property and damage to the company’s brand reputation. In addition, there are often legal implications as angry customers file lawsuits. Even government entities sometimes enter the picture.
The origins of cyber coverage data back more than 25 years. Back then, some technology companies purchased errors and omissions (E&O) insurance, which covered claims arising from professional errors while offering services. Over time, this was expanded to include additional coverage, such as unauthorized access to a computer system, or the destruction of data.
Still later, policies added additional coverage, such as breaches of confidential information. In particular, this appealed to retailers and hospitals with considerable consumer data but not in need of E&O insurance. These companies needed a standalone insurance policy that covered only data breaches. This heralded the birth of today’s cybersecurity policies.
The cost of cyber insurance now is based in part on the frequency, severity, and cost of cyberattacks, all of which have been increasing. Insurers have become selective about who and what gets covered. In recent years, a number of insurers have reduced coverage limits and/or increased premiums for higher-risk organizations and industries, such as academic institutions and the healthcare industry.
Insurers have also tightened policy terms and conditions in a bid to increasingly work mainly with entities that can demonstrate strong cybersecurity maturity. Today, they’re likely to want to see that specific security software is already in place and that a dedicated cybersecurity team and/or a strong partnership with a cybersecurity management company exists.
Prior to seeking cyber coverage, businesses need to have their security efforts formally stipulated. Among other things, insurers want to see that the company regularly tests offsite and onsite backups, and that the company has a cyber incident response plan in place.
Predictably, smaller companies with fewer resources have more problems than bigger companies in meeting these requirements. A recent Wall Street Journal survey of cybersecurity professionals noted that only 52 percent of small businesses had cybersecurity insurance, compared with 75 percent among larger businesses. They have been hurt harder by labor and supply shortages and inflation, and even by the ongoing effects of the Covid 19 pandemic.
Insurance companies may give them a bit more leeway in what protection they have in place when applying for insurance, but they still typically require that employees and third parties employ multifactor authentication. Small businesses might fare better by purchasing a policy from a technology company that sells insurance – so-called insurtechs – which rely heavily on artificial intelligence. But their customers are still under pressure to regularly improve their cybersecurity to maintain coverage.
Although many insurance companies believe they cannot afford not to be covered for cyber risk, there could be more road blocks in the near future. A recent report by the U.S. Government Accounting Office (GAO) said it remains uncertain whether cyber insurance will be generally available and essentially affordable. Already, the GAO added, “some carriers had started limiting the coverage they offer to certain critical infrastructure sectors.”
As insurance rates keep climbing, and insurers offer more limited coverage, cyber insurance might become increasingly difficult to obtain. Let’s hope things don’t get this bad, and if they do, that the government steps in to help, perhaps with cyber insurance subsidies.
About the Author:
Robert Ackerman Jr. is the founder and managing director of AllegisCyber Capital, an early-stage cybersecurity venture capital firm based in Silicon Valley. He is also co-founder and a board director of DataTribe, a seed and early-stage foundry, based in Fulton, Md., that invests in young cybersecurity and data science companies.
Bob has been recognized as a Fortune 100 cybersecurity executive and also as one of “Cybersecurity’s Money Men.” Previously, as an entrepreneur, Bob was the president and CEO of UniSoft Systems, a leading UNIX systems house, and founder and chairman of InfoGear Technology Corp, a pioneer in the original integration of web and telephony technology.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.