Premiums for cyber insurance are sky-rocketing and it's not because of inflation.
It has been a little over 1 year since the very public cyber-attack of Colonial Pipeline Co. that resulted in a $5M ransom demand. The effect that this hack and a subsequent string of high-profile attacks had on the cyber insurance market in 2021 is unprecedented.
Insurance companies were excited to enter this budding new market in the late twenty-teens. There was very little risk and plenty of interested buyers. This new coverage niche was highly profitable.
Then Everything Changed
The Covid-induced increase in remote work and more lax security protections created a perfect opportunity for hackers. There was a dramatic increase in the number of ransomware attacks, including the Colonial Pipeline, JBS (the world's largest meatpacker), the Steamship Authority of Mass., and the Washington DC Metro Police Department. Not only was the number of attacks increasing, but the ransom amounts paid increased by 300% according to the Harvard Business Review. Computer manufacturer Acer was attacked by the REvil hacker group which demanded $50 million, the largest ransomware amount to date.
Cyber insurance carriers started taking heavy losses in pay-outs to claimants. The direct loss ratio for these plans in 2020 was 72.5% compared to 47.1% in 2019. As a result, according to Fitch Ratings, direct-written premiums increased by 92% from $1.6 billion in 2020 to $3.1 billion in 2021. Analysts say that the increases are being passed along to the insured as rate increases rather than the insurers expanding the amount of money they are willing to cover. And it's working! The rate increases led to insurers' direct loss ratios falling from 72.5% in 2020 to 65.4% in 2021. So we can't expect the increases to stop anytime soon.
Risk Mitigation
So what is the role of insurance in protecting yourself against the losses incurred by a data breach? Adding another layer of risk protection using cyber liability insurance makes sense in today's world but it pays to be smart about it.
Reach out to a qualified and long-standing insurance company that knows cyber coverage. They (and their underwriters) will need to know the current cybersecurity policies you have in place to protect your data. The insurance company will ask you to fill out a questionnaire that will include many questions related to your current network and existing policies for securing your data. You may need help answering the questions. A good first step would be to reach out to a qualified IT firm to perform an audit of your network and help answer these questions. If your cybersecurity policies are where they need to be, it will help lower your premiums.
Cybersecurity Policy Basics
Before you contact an insurance company about cyber liability insurance you will benefit from tightening up your security policies.
Protect your data. Follow the rule of 3-2-1:
Keep three (3) backups: The original and 2 copies. Keep them on two (2) types of media. Keep one (1) copy offsite.
But most importantly, you must remember to test them frequently to make sure you can retrieve your data at any time.
Remember to:
- Install firewalls, anti-malware software, and access authentication systems.
- Arrange for security training for all employees.
- Inform employees regularly about new scam emails or viruses and ways to combat them.
- Invest in new security technologies as they become available. Stay ahead of the attackers
Engage cyber strategies such as End-point Protection, DNS-Layer security (DNSLS), and Multi-Factor Authentication (MFA) but most importantly enforce employee training and awareness.
These are just a few examples of tools that will help you thwart a cyber attack.
Summary
We are all aware of the cyber criminals out there, ever-present and searching for weaknesses to exploit, but perhaps even more dangerous are the unscrupulous companies that feast on fear hoping to increase their revenue at the expense of the unaware. Educate yourself about your own cybersecurity policies and the role cyber insurance plays. To fully account for the dangers, partner with an experienced cybersecurity firm that has the integrity and know-how to meet with you, provide a proper audit of your network and work with a reputable insurance company to make sure you have that extra layer of protection.