While the cyber insurance market is showing some signs of stabilization, those who have purchased commercial cyber insurance over the past five years likely experienced double-digit cyber insurance premium increases. Risk managers and other organizational leaders are asking why is cyber insurance so expensive and is cyber insurance worth it.
What Is Cyber Insurance?
Cyber liability insurance, also referred to sometimes as cyber risk insurance, cyberattack insurance or cybersecurity insurance coverage, helps companies respond to and recover from the financial impacts of cyber-related events. In addition to data breaches, these events could include malware infestation, email compromise and denial of service/ransomware attacks.
Learn more by reading “What Is Cyber Insurance?”
Who Needs Cyber Insurance?
Every organization is at risk of cyberattacks today. Any organization with an email address or a bank account should invest in cyber insurance. If a company stores credit card numbers, customer data, personally identifiable information (PII) or protected health information (PHI), the company should invest in cyber liability coverage. If an organization has a website, processes online payments or is part of an industry with many regulations around customer data, it should secure a cyber insurance policy.
Further, no business is too small for cybercriminals to target. Data security and networking company Barracuda Networks reports that small businesses with less than 100 employees are three times more likely than larger companies to be targets of social engineering attacks. A social engineering attack occurs when a threat actor tricks an employee into sharing sensitive information or making a security mistake.
Why Buy Cyber Insurance?
It’s a cliché, but it’s true. It’s not if a cyberattack will impact an organization; it’s when. Recovery takes time and money.
Consider some of the losses cyber insurance can help protect against:
- The cost of repairing systems and recovering data
- The cost of paying a ransom
- The cost of business interruption while systems are being restored
- The cost of engaging forensics experts to determine what happened and how
- The cost of notifying clients and offering credit monitoring
- The cost of hiring legal counsel to defend against lawsuits
- The cost of engaging media experts to minimize reputational damage
- The cost of paying federal and municipal fines
Cyber insurance may be what keeps the business afloat after an attack. Learn more by reading “Cyber Insurance Coverages 101.”
How Much Does Cyber Insurance Cost?
The cost of cyber liability insurance for a small business generally starts at $2,500. For medium- and large-size businesses, the yearly premium could be a few thousand dollars to tens of thousands of dollars per $1 million in coverage. However, every organization is unique, and the cost will vary for each business.
Companies with shareholders should especially consider cyber coverage and limits carefully. Recently stakeholders brought suit against a company’s board members after a cyberattack. They alleged mismanagement because the company had not secured enough cyber insurance coverage, thinking it was too expensive.
Why Are Cyber Insurance Prices Rising?
This year alone, data from 5.4 million Twitter accounts, social security numbers of 2.5 million student loan borrowers, and the PII of 9.7 million current and past Medibank healthcare and insurance clients was breached. The severity and cost of cyberattacks like these, especially where ransomware is involved, have been key drivers of cyber insurance costs. The average data breach cost is now $4.35 million, a 12.7% increase since just 2020, according to IBM Security’s Cost of Data Breach 2022 Report.
Business email compromise (BEC) scams have also been on the rise. According to the FBI, between July 2019 and December 2021, actual and attempted BEC losses (U.S. dollars) increased by 65%. It’s no wonder, then, that cyber insurers have adjusted premium rates dramatically in recent years.
What Affects Cyber Liability Insurance Costs?
When considering cyber liability insurance premiums, insurers look at several factors, including what is happening in the market overall and the prospective client’s risk profile and claim history. Carriers also consider the following elements when determining whether to insure an organization and the cost of cyber liability insurance.
Some industries, such as healthcare, higher education, retail and manufacturing organizations, are targeted by cybercriminals more often than others. Organizations in these sectors store the types of data (e.g., social security numbers, credit card information, bank account numbers, etc.) most prized by threat actors, putting them at greater risk for a cyber event. In the case of manufacturers, cybercriminals know that companies lose a lot of money every hour a line is down and that chaos can quickly erupt, pressuring the organization to pay a high-dollar ransom quickly.
Number of Employees
The greater the number of employees, the more opportunities cybercriminals have to access a company’s sensitive information and infrastructure. Unfortunately, employees are the most significant cyber weakness in any organization.
The more money an organization has, the more attractive it becomes to cybercriminals. However, smaller organizations are typically easier targets because they don’t usually have the in-house cybersecurity resources that larger organizations have. This makes small companies attractive, too.
Deductibles and Limits
As with most types of insurance, the deductible or retention (the amount a company will pay before its insurance kicks in) and the limits (the maximum amount the insurer will pay for a claim) impact the cost of the premium. Generally, the more risk an insured is willing to assume, the lower the premium. When a company is willing to assume more risk, it signals to the carrier that the organization is confident in its cybersecurity measures.
How to Manage Cyber Insurance Costs
While organizations cannot control all the factors driving the cost of cyber insurance, they can make themselves more attractive to insurers compared to others competing for available coverage and the best rates.
Insurers want proof that a company has done everything possible to prevent cyber events. These actions include training employees to recognize phishing scams, implementing multifactor authentication and endpoint detection and response, and regularly patching software. Learn more by reading “6 Steps to a Better Cyber Insurance Policy.”
How Hylant Can Help You
Hylant’s dedicated cyber risk and insurance team works with organizations to help them understand and address their cyber risks from an insurance perspective. We provide risk profiling, exposure quantification, insurance procurement and negotiation, risk readiness and incident response planning services. Working with our clients, we minimize cyber events’ potential financial and reputational impacts on their organizations.
The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.