Decoding Cyber Insurance: Essential Statistics and Trends
Precise data is difficult to obtain, in part because many attacks are never reported and potentially never discovered. However, it seems that the number of incidents increased rapidly year on year from 2015, and spiked massively in 2020. Of course, this coincides with the global pandemic and widespread shift in working patterns for organisations around the world. The number of incidents has declined somewhat in subsequent years, which may be a result of improved protection mechanisms and spending on cyber protection.
What is Cyber Insurance?
Cyber Insurance, broadly, is a type of insurance that is intended to cover costs associated with a cyber incident sustained by an organisation. Within that general term, though, there are many subtypes of cyber insurance, each designed to offer cover against a specific type of threat or outcome.
Nick told us:
“A cyber policy will generally cover a wide range of losses arising out of a cyber incident, including direct losses to the company and claims brought by customers, suppliers, and data subjects. Whilst cyber policies are becoming more standardised as time goes on there is still a good degree of variation, so it’s important to understand what sections are included when buying a policy.”
Types of Cyber Insurance
Cyber Insurance generally falls into one of three categories. The insurance will give details for each type of cover and define the rules for making a claim and the extent of cover provided. The three categories, and examples, are
First-party insurance is covered against direct costs for one's own business against losses due to a cyber incident.
- Incident response costs – your costs in engaging professional services to manage a cyber event
- Damage to your computer systems – your costs to repair, reinstate, or replace computer systems
- Business interruption – your loss of income caused by a cyber event
- Ransomware and extortion – your costs in dealing with a ransom demand, and paying ransoms if necessary
- Theft of funds –insurers cover theft of digital funds in different ways, however, if this is of significant concern we recommend a dedicated crime policy.
Third-party insurance is covered for another business against costs or losses.
- Data liability – breach of third-party data held on your systems
- Network security liability – third-party losses caused by failure to protect your systems, such as a virus transmitted via your system, or an attack involving your network
- Media liability – alleged defamation or breach of copyright in your online communications
- Payment card industry liability – breach of PCI requirements and PCI fines
Additional Types of Coverage
Additional types cover indirect costs associated with a cyber attack. These are generally long-term losses over the period of time well after the attack has been remediated and operation has returned to normal, such as:
- Social Engineering
- Reputational Harm
- Bricking Coverage
Nick made the following general comment about cyber insurance:
“The most important part of a cyber policy is that it does not just provide a pot of money to pay claims. Insurers will have a panel of experts on hand to assist you as quickly as possible following an incident. These include crisis consultants, forensic IT experts, solicitors, public relations consultants, and ransom negotiators. This assistance can help you to minimise the impact of a cyber event on your company, and allow your operations to return to normal sooner.”
The History of Cyber Insurance
According to Nick, the recent prevalence of cyberattacks really got into gear in 2017, with two major global incidents. The largest was the NotPetya attack, estimated to have caused $10b in damages globally. However, cyber insurance cover was not commonplace at the time so the number of claims was limited.
The next two years saw increases in both the level of cyberattacks and the penetration of cyber insurance through the marketplace. By 2019, insurers were paying out more as a result of claims than the premiums being collected. They responded by tightening requirements for being eligible for cover, bringing cybersecurity into focus for businesses.
The Surge in Cyber Insurance Claims
2020 saw a huge surge in cyber incidents, double that of 2019, coinciding with the pandemic and widespread shift in working patterns. It's easy to blame COVID-19 for opening the doors to insecure work practices as IT services needed to adjust overnight to the reality of remote working. However, as Nick points out, the pattern was already set in the preceding years.
The main type of attack was ransomware, where the victim’s files are encrypted and held to ransom. The business suffers a massive loss of revenue while it is unable to operate, so ransom payments seem attractive to pay.
The cyber insurance providers responded to this massive increase in two ways. Firstly by increasing premiums: larger companies typically saw fees doubling in 2021 and doubling again in 2022.
The second response was to impose tighter security controls on businesses before they were eligible for cyber insurance. This has given rise to a number of now commonplace protection measures, such that businesses are now vastly more cyber secure than even only five years ago.
Nick’s commentary on these statistics was:
“In the early days of cyber insurance, premiums were underpriced as claims were low and insurers were looking for market share. From 2019-2022 the market went through a major course correction, and combined with better cyber security this should mean that premiums will be more stable and sustainable for the future.”
Cyber Essentials & Cyber Insurance
The increase in baseline security controls and interest in reducing cyber insurance premiums has fuelled interest in the UK's CyberEssentials programme. CyberEssentials is specifically targeting SMEs with a series of requirements. Cyber Essentials accreditation demonstrates compliance with these requirements, giving confidence to other organisations in their commitment to cybersecurity.
CyberEssentials revolves around a number of core technical and organisational controls:
- user account privileges
- account access controls - passwords, multi-factor authentication (MFA)
- company policies and guidelines
How to Prevent Cyber Threats
According to many experts, there is no way to completely prevent a cyber incident. Attackers are sophisticated, organised, imaginative, and thorough. If they want to breach a given organisation and have enough time and resources, they will be successful. The approach therefore is damage limitation. Each of the components of the CyberEssentials programme is designed to
- reduce the available vulnerabilities (this is termed 'reducing the attack surface')
- increase the resilience of the systems, so they can operate during and after an attack
- minimise the amount of funds that an attacker can obtain.
Cyber insurance and cyber security go hand in hand. Accepting that it’s impossible to completely prevent cyber incidents, the best course of action is to mitigate the risks that you can through good security, and then insure against the risks you can’t avoid. In principle, it’s no different to putting good locks on your doors, and then insuring against theft in case the worst happens. As with insurance for physical property, the better your security is, the better options you should have for insurance.
Is your business looking to reduce cyber insurance costs or to reduce its chances of having to make a claim? Are you ready to engage with the CyberEssentials programme? If so, get in touch with us and see how we can help. Our support plans are designed to provide the technical controls to meet CyberEssentials and help you obtain sufficient cyber insurance coverage.
Nick Brayne at Sutton Winson has written a detailed article looking at trends in the UK's cyber insurance. His article is posted here.