Cyber insurance has been available as an add-on or standalone business policy since the early 2000s. Organizations have been able to buy high-quality cyber insurance at a reasonable cost to offset the risks that businesses have faced as they’ve gone through digital transformations the past decade and in parallel have faced with the rapid growth of cyber threat actors. Depending on the policy, covered risks can include a forensic investigation, litigation expenses, regulatory defense expenses and penalties, data recovery, data breach notification to customers, system and network repair, and much more.
In 2020 and 2021, cyberattacks, particularly ransomware attacks, increased significantly in frequency and cost. As much as 66% of all organizations reported that they were hit by ransomware in 2021, and the average ransom payment was $812,360, according to Sophos’ The State of Ransomware 2022. As a result, cyber insurance policies increased in cost in 2022, and insurers began imposing stricter requirements to qualify for a policy.
Today, the cyber insurance market is a $16.66 billion industry that is growing by leaps and bounds. By 2030, the market is expected to expand to more than $84 billion.
Doug Howard, CEO of Pondurance, speaks to audiences at conferences and webinars, fielding questions about the changes that continue to alter the threat landscape and impact the cyber insurance industry. He knows firsthand that technology leaders at organizations are eager to learn the latest information about cybersecurity. Currently, the hot topics of interest include the cyber application process, artificial intelligence (AI), state laws and regulations, and acts of war, to name a few.
Cyber Application Process
Most organizations seek out cyber insurance to protect their businesses against threats, but the hurdles for getting cyber insurance have been raised. For instance, last year, insurers required organizations to have multifactor authentication (MFA), better patch management programs, and better endpoint protection to qualify for cyber insurance. Today, insurers need to know not only that an organization has these technologies but, more importantly, that the technologies have been implemented and operationalized. There’s a long list of items that most insurers require for a cyber insurance policy, including now managed detection and response, and it’s important to implement these requirements prior to the application process.
“Executives and boards want to know what variables impact their ability to get cyber insurance,” said Doug. “It’s common to get questions since people want to obtain cyber insurance or they already have cyber insurance and want to know what hurdles they will have with their renewals. The last thing any executive wants is to be denied cyber insurance and need to explain this to their investors and board.”
The global AI market totaled $428 billion in 2022 and is expected to surge to more than $2 trillion by 2030, according to Fortune Business Insights. Decision-makers may believe that they can execute AI for their networks to solve all of their cybersecurity problems, but that’s not the reality. Human attackers must be confronted by human defenders, making people the most important component of any comprehensive cybersecurity program.
The hot topics in AI right now involve attribution, said Doug. Who performed the attack? Was it a machine? Was it a group? Also, organizations want to better understand how to keep their sensitive personal information from becoming part of the AI database, which could trigger regulatory privacy violations and a cyber insurance claim. AI is evolving rapidly and will benefit the defender, but it will also benefit the attacker who has less rules to live by, if any.
State Laws and Regulations
Increasingly, states are passing cybersecurity legislation and regulations to combat the rise in cyberattacks and encourage organizations to implement better cyber practices. New laws, such as the New York Department of Financial Services Cybersecurity Regulation, are having a positive impact on the security of U.S. companies. However, organizations are finding it difficult to track, understand, and comply with all the regulations that govern their industries. Such regulations can impact an organization’s ability to qualify for cyber insurance, adding even more reason for organizations in every industry to stay up to date on regulatory compliance.
Acts of War
War, terrorism, and insurrection typically fall under an acts of war exclusion in a traditional insurance policy. However, a cyber insurance claim can involve nation-states making hostile attacks on U.S.-based organizations and holding data and business operations hostage in exchange for a ransom payment. The courts have been busy defining what constitutes an act of war in cybersecurity.
“If it’s a declared state-sponsored foreign actor — which it rarely is, by the way — that’s not covered because it’s a state action,” said Doug. “But that’s a pretty dangerous road to go down for an insurance company. The exclusion is also a competitive variable for companies choosing a cyber insurance policy.”
The threat landscape continues to evolve year after year, and the cyber insurance industry is evolving with it. Over the next few months, Pondurance will discuss each of the above cyber insurance topics in greater detail, as well as introduce other important cybersecurity issues as they emerge. For our most recent blog on cyber insurance, check out Experts Discuss Cyber Risk, From Law Enforcement to Insurance Claims.