Cyberattacks are not only a technological problem for companies, but they also represent a very real financial threat. That’s where cyber insurance may be able to help.
According to the Ponemon Institute and IBM, the global average cost of a data breach is $4.24 million and climbing. And costs can be much higher for some industries and geographic locations (including the United States).
As the number and severity of data breaches continues to rise, organizations are recognizing that those costs are not theoretical. If your company has not already experienced a significant cybersecurity event, it is probably only a matter of time before it does.
For that reason, most experts now recognize that a complete cybersecurity strategy not only includes technological solutions aimed at preventing, detecting, and mitigating attacks, it should also include cyber insurance to help manage the associated financial risks.
But there’s a catch: Insurers are going to carefully assess your cybersecurity controls before writing any policy, and there are limits to coverage. However, a good cyber insurance provider can also leverage their partnerships to help your company afford better security controls.
Also read: The Top Cybersecurity Companies
Cyber Insurance is Booming
While cyber insurance is a fairly recent concept, business is booming, and there are literally hundreds of companies offering cyber insurance.
According to the National Association of Insurance Commissioners (NAIC) report from October of 2021, the cybersecurity insurance market, including both U.S. domiciled insurers and alien surplus lines insurers writing business in the U.S., was worth roughly $4.1 billion in direct written premiums in 2020. That’s a 29.1% jump from the prior year and it is expected to increase by a large amount once 2021 totals are verified.
Insurers writing standalone cybersecurity insurance products reported approximately $2.58 billion in direct written premiums, and those writing cybersecurity insurance as part of a package policy reported roughly $1.49 billion in direct written premiums.
Ransomware Drives Up Costs, Lowers Coverage
Not surprisingly, ransomware insurance has become popular and is included in many policies. Consequently, rates are rising sharply due to the prevalence of such incidents, NAIC said.
“Currently, cyber insurance is experiencing a ‘hard’ market, meaning that prices are increasing and there is less capacity available,” said Erik Barnes, Senior Underwriter, Cyber & Technology at AXA XL. “This is driven by the proliferation of cyber claims across the entire market, particularly ransomware related. Whereas in the past, cyber insurers may have frequently extended liability limits of $10 million, it is becoming increasingly more common that carriers can only extend a max of $5 million limit per risk.”
He added that while ransomware may have gotten the most attention and headlines, claims for standard privacy-related incidents, breaches, and more continue. Other cyber incidents are common, including phishing attacks, business email compromise, exploitation of cloud and software vulnerabilities, social engineering, third-party exposures, and more. This is causing cyber insurers to underwrite with much higher levels of scrutiny, especially as it relates to ransomware-centric security controls.
“We are getting much more into the weeds, as a client’s cybersecurity measures are a big part of our risk assessment before underwriting and pricing a policy,” said Barnes. “Where we might have previously relied on what was provided in a short, written application, today we regularly have hour-long underwriting calls with clients, often speaking with their CISOs and security teams, to understand their risk and what security protocols they have in place.”
AI, ML Playing a Role
But the increase in ransomware and other threats isn’t the only major trend impacting cyber insurance. Joel Friedman, CTO and co-founder of Aclaimant, cited automation as an increasingly necessary element as this insurance category grows sharply.
“Like many industries, technology innovation and adoption are accelerating, and cybersecurity insurance is no exception,” said Friedman. “Companies around the world are finding new ways to keep themselves and employees secure through constant monitoring and are looking to automated tools that can monitor in real-time and provide insights into what is happening at the cybersecurity level so those issues can be addressed.”
Artificial intelligence and machine learning, too, are being increasingly layered into these tools to predict what risks might be on the horizon so companies can stay ahead of the curve and protect themselves and their employees.
For example, security breaches pose a huge threat to companies nowadays. Through the use of AI and ML technologies, companies can predict when these hacks and breaches might occur so they can be better prepared to reduce levels of access to sensitive information or prevent the breach from happening altogether. In addition, if a breach does occur, these new tools can help scope the affected areas and more quickly address access issues faster than legacy systems.
Also read: Best Incident Response Tools and Software
Selecting a Cyber Insurer
When selecting a cyber insurer, organizations should consider a number of different factors, including the financial stability of the vendor, the type of coverage provided (such as breaches, ransomware, DDoS attacks and regulatory compliance), and the cost. In addition, most of the vendors offer ancillary services designed to help protect against, prepare for, and respond to breaches. Some also have partnerships with key cybersecurity vendors that might be helpful.
Rates vary sharply from vendor to vendor. Some cater mainly to specific verticals or large enterprises. Others specialize in small businesses that are often targeted by ransomware these days. Those with an existing and satisfactory business insurance relationship with a vendor are advised to first contact that company, as they may be able to offer attractive rates by packaging cyber insurance with other types of insurance.
When purchasing cyber insurance, Barnes recommends that the following factors be considered:
- Knowledgeable underwriters: There have been many new entrants to the cyber insurance market over the last five years, many hoping to take advantage of the fast-growing market and its opportunities. It’s important to work with a carrier who has a strong track record in the market, has shown a commitment over the long-term (some longevity), and can show strong financial stability.
- Quality of coverage: it’s important to know what is really being offered in your policy, and maybe even more important, what’s not. Companies need to look at policy exclusions to see what is being excluded.
- Claims handling: In-house claims expertise and an incident response team is a big plus. Many carriers outsource their claims handling to third parties, which may not be as familiar with the insurance product and being one step removed may be less likely to be a true partner for the insured.
Effective cyber risk management requires being prepared, taking all precautions possible to prevent an incident from occurring, but arguably most importantly, knowing how to respond when something happens, and having experts on hand in multiple fields of expertise to assist in claims.
Friedman added that it is best to find a carrier that is moving forward with the technology innovations disrupting the space so the business can better identify, respond, and mitigate risks that threaten their company and employees.
“Since cybersecurity is a newer concept for most businesses, finding an insurance carrier who has tools and resources available to educate companies on cybersecurity risks and mitigation strategies can be few and far between,” said Friedman. “But providing insight-driven tools is one way for carriers to gain a competitive advantage and add value for their insured and ultimately help businesses prepare for risks such as breaches in the future.”
Top 8 Cyber Insurers
Insurers were chosen for this list of top vendors based primarily on their total cyber insurance premiums for 2020. The top eight insurers account for about 60% of the market and more than $1.5 billion in direct premiums.
AXA XL accounts for about 10% of the current cyber insurance market. It offers a full suite of first- and third-party coverage, from cyber security breach expenses and privacy regulatory coverage to cyber extortion & ransomware coverage and business interruption coverages. Coverage is tailored for businesses across various industries and technology companies, available on a primary and excess basis.
Its claims team are all attorneys with years of cyber incident response experience. They sit right alongside underwriters so they have a good understanding of clients and coverage before any incident occurs.
AXA XL recently launched an incident response team as part of its claims team that helps in every aspect of incident response, from enlisting needed help from expert vendors to walking through every step of the claims process. It has established a panel of expert vendors – from forensics to PR teams – that can be called on for help when an incident arises.
XL Catlin CyberRiskConnect policy provides coverage of up to $15 million. It encompasses: Technology Products and Services; Professional Services; Media; Privacy and Security Liability; Data Breach Response and Crisis Management; Privacy Regulatory Defense Costs and coverage for any fines and penalties assessed; Business Interruption and Extra Expense; Data Recovery; and Cyber Extortion and Ransomware.
Chubb has long been one of the big names in insurance. It is also big in cyber insurance, placing top among all providers, according to NAIC, with almost 15% of the market. It covers organizations regardless of size or industry.
Chubb’s suite of cyber products integrates privacy, network, media, and Errors & Omissions (E&O) products to provide customized coverage.
The company offers a variety of products and services.
Cyber Enterprise Risk Management (Cyber ERM) has no minimum premiums, offers cyber crime coverage and cyber incident response expenses, with the coverage territory applicable worldwide to address continued evolution of hosting and data storage.
DigiTech ERM combines cyber insurance with loss mitigation and incident response services.
Integrity+ by Chubb is an integrated financial insurance solution that provides broad liability and first-party cyber protection for a wide array of E&O, data security, privacy, media, and intellectual property infringement exposures.
American International Group (AIG) has an 8.3% share of the cyber insurance field. It provides coverage for physical and non-physical losses resulting from a cyber event on a primary via its CyberEdge or CyberEdge Plus products, as well as excess/difference-in-conditions insurance via CyberEdge PC.
Available limits of up to $100 million (varying by coverage) and no minimum retention. Terms, including limits, retentions, and coinsurance depend on a client’s perceived level of exposure and maturity of cybersecurity and privacy controls, and are based on responses provided in the AIG Cyber Insurance Application. It applies across industries, entity types, revenue sizes, and geographies. Eligible policies include cybersecurity remediation services valued at up to $25,000.
Travelers is another big player in the cyber insurance sector with a 7.5% market share. In addition to coverage, it provides policyholders innovative value added pre- and post-breach risk management services at no additional cost.
These benefits include cyber coaches, pre-breach services provided by Symantec, and access to Travelers eRisk Hub powered by NetDiligence (a private web-based portal containing information and technical resources to assist in the prevention of network, cyber and privacy events and timely response if an incident occurs).
Travelers’ CyberRisk solution is broad cyber coverage customized to fit business needs. It is aimed at both small businesses and Fortune 500 companies, including financial institutions and nonprofits. There are also versions of CyberRisk available for technology companies and public entities, and a simpler version called CyberFirst Essentials for small businesses.
Axis is a top-ten provider of cyber insurance. It covers any businesses in all industries whose activities call for them to collect, process or store information of value. This can include personal data, business critical information and any other data that could lead to financial loss, reputational damage or business interruption. A variety of policies are available to cover property damage as a result of a breach, business interruption, data restoration insurance, insurance for data published online, crisis management, online fraud, as well as Payment Card Industry (PCI) fines and recertification insurance. Liability limits are set at a maximum of $25 million.
Beazley offers a range of tools to help companies avoid cyberattacks as well as insure them against the damage. Its Privacy Builder is a toolkit to develop and improve data privacy and security. It hosts Cybercrime Spotlight webinars on emerging cyber threats and the most effective controls to prevent them. It also offers training on cybersecurity, phishing, ransomware, and more.
Beazley’s Breach Response policy offers first party loss to indemnify the insured organization for business interruption, dependent business interruption, cyber extortion loss, data recovery costs, and liability to pay damages and claims expenses, which the insured is legally obligated to pay because of any cyber claim.
CAN combines a range of products and risk control services to help safeguard businesses. Its underwriting and risk control staff offer tailored, industry-specific coverages. CNA also provides tools and resources to understand exposures and address potential losses. If there is ever a data breach, coverage extends to network failure, dependent business income, wrongful collection, media, e-theft and social engineering, reputational harm, voluntary shutdown, and PCI.
BCS CyberBlue is cybersecurity insurance for Blue Cross Blue Shield Plans, with primary coverage up to $75 million. There is also a flexible excess policy with the capability to be written on a standalone basis, or in combination with cyber security/privacy and technology.
BCS Micro Cyber policy is designed for small to midsize businesses, and can be completed in under two minutes. Nano Cyber is a cyber liability insurance program for insurance agents and other self-employed individuals to protect their business for incidents that involve breach of private data and communications.
Read next: Best Digital Forensics Tools & Software