Across industries everywhere, costs are on the rise. And, like any other sector, cybersecurity insurance rates are no different. While it’s a necessity for some, it still begs the question: is cyber insurance worth it?
A year ago, cybersecurity insurance rates rose by 10-30% overall. If you think that’s steep, bear in mind some healthcare providers reported 400-600% increases. As of this spring, the Wall Street Journal reported that the average increase in premiums for 2021 reached 92%.
And yet, even as insurance costs rise, coverage continues to erode.
If your business relies on cybersecurity insurance for attack recovery, now’s the time to read your policy’s fine print. If you haven’t looked at it recently, you need to ensure you remain covered.
You’ll also need to watch out for added exclusions and challenges on claims. With attacks on the rise everywhere, insurers are doing what they can to protect their own pocketbooks, including limiting payouts for significant categories of attack.
The value of cybersecurity insurance becomes unclear when it costs more and covers less.
Is Cyber Insurance Worth It? Attack & Insurance Stats to Consider
Cyberattacks are on the rise. And, in many cases, it’s by a substantial amount.
For instance, 2021 saw a general increase in attacks. One survey’s respondents reported:
- 57% increase in the volume of cyber attacks
- 59% increase in the complexity of attacks
- 53% increase in the impact of attacks
- 78% increase in those who experienced ransomware attacks
Amidst these sharp increases, cyber insurance providers worked hard to protect their own wallets. Surveyed policy holders also claimed that:
- 34% experienced increased prices
- 40% noted fewer options for coverage
- 47% found policies more complex
- 54% noted higher cybersecurity measures required
Given the stark rises in premiums and complexities in coverages, is cyber insurance worth it? Considering the drastic uptick in attacks, it might still be your best bet. That is, as long as you actually receive an insurance payout.
Unfortunately, that’s not something you can necessarily control. Let’s take a look at a few examples of what might go wrong.
Officially Denied: Nation-state Attack Coverage
Lloyd’s of London became the most significant insurance provider to officially deny coverage of nation-state attacks and cyberattacks occurring during wars. The decision affected customers of more than 76 member insurance syndicates.
At a minimum, the policies must deny losses arising from a war – even an undeclared war.
Clarifying these new clauses in court could take years. Meanwhile, organizations recognizing how widespread nation-state-sponsored attacks have become, must also realize many attacks may now be excluded from cyber insurance coverage.
Additionally, criminal ransomware and other financially-motivated attacks also may be associated with foreign adversaries, which creates further worries about denied coverage.
Officially Denied: Social Engineering Cons
Nation-state attacks aren’t the only problems you could face. Here, again, you’ll want to double-check your coverage terms.
In a case decided just recently, a PC store conned out of $600,000 via a business email confidence (BEC) fraud attack found themselves unable to receive coverage from their insurer.
You see, even though the attack came through email, BEC attacks legally classify as social engineering fraud – which doesn’t involve technology.
On these grounds, the cybersecurity coverage was denied. The claim was only paid under the specific social engineering fraud coverage, limited to $100,000.
Additional Required Protections
Most insurers have started to provide their clients with minimum security requirements to qualify for coverage. That means you need to go through your policies carefully and consider necessities to reduce attack risk.
For example, many policies will require, at minimum:
- Email filtering and security
- Endpoint detection and response (EDR) or next generation antivirus
- Multifactor authentication (MFA) for remote access and privileged accounts
- Privileged access management (PAM)
- Secure, encrypted, and tested backups
- Web browsing security
More sophisticated policies may require or provide discounts for:
- Cybersecurity awareness and phishing training
- Cyber incident response planning and testing
- Elimination of end-of-life systems
- Hardening for remote access (especially for Remote Desktop Protocol (RDP))
- Security alerts, log monitoring, and network protections
- Supply chain risk management for applications, vendors, and customers
As with all IT security measures, there often will be multiple possible solutions that can be implemented to achieve these security goals.
Even after choosing a tool, control, or service, there may also be a variety of options to deploy for balancing risk reduction against budget and staffing resources.
Making the Decision
So, is cyber insurance worth it in 2022?
Well, it’s certainly becoming a difficult question to answer. However, as cyberattacks become more frequent, it’s more likely you’ll end up a victim, at some point. It’s less a question of ‘if’, and more about ‘when’.
The key to making cyber insurance worth it is ensuring you always stay current on your policy’s requirements. If it requires you to pen-test your systems once a year, ensure you do it. If it requires you provide anti-phishing training, then make sure you offer it to your team.
And, if you decide you simply can’t afford it, then make sure you invest something into stronger cybersecurity practices.
For some organizations, technical requirements can be difficult to understand, let alone implement properly.
Fortunately, there’s always available help through outsourcing.
Ideal Integrations, along with our cybersecurity division Blue Bastion, can provide the expert assistance you need. We’ll help you go through insurance policies, analyze the latest requirements, and propose a range of technology and service options to achieve them.
For example, in addition to endpoint security EDR and antivirus options, we provide vulnerability assessment and penetration tests to verify the right security is in place. And, just as important, we’ll help document it for your policy compliance or evidence for future needs.
Whether your needs require short term assistance for a specific implementation or long-term security monitoring, we can help you improve your security and become less dependent on cybersecurity insurance for protection.
Just contact us at 412-349-6680, or fill out the form below, and we’ll be happy to provide a no-obligation consultation today!