In the battered security landscape, companies are doing all they can to transfer risk out of their organizations. One of the most common methods to transfer this risk is to acquire cyber Insurance. Since the 90's .com bubble, cyber Insurance has taken on many forms. Let's dive into the insurance topic in detail.
As of the timing of this blog, nearly every customer that I have spoken with had a major increase in their cyber insurance premiums in 2022. In some cases, the increase was nearly 3X. There are approximately 18 different coverage models for cyber Insurance. eCrime coverages, data recovery costs, vendor and supplier errors, etc....are all examples of these different types of coverage. Unfortunately, we are not seeing these insurance models provide an equal amount of value for the cost of the premium. Why are insurance companies not successful with Cyber policies?
- Insurance companies do not understand true incident response. In many cases, the first people onsite after a breach are attorneys. We suggest the first people onsite is a security company that can immediately contain the breach.
- Where is the actuarial data behind breaches? Insurance is built on actuarial studies and math. This is non-existent with cyber breaches.
- Ransom Payment: When you pay the ransom and give into the bad actor's demands, they will attack again.
- Underwriting is flawed. How does an insurance company know your security posture based on filling out some paperwork? Where is the security assessment that can truly measure the risk that you face?
- Insurance company losses: There was an industry average 72.8% loss ratio in 2020 with cyber Insurance.
Should you buy it? Absolutely. You may even be regulated to do so. In the next year, prepare yourself for some very interesting changes on the cyber insurance front that will truly allow you to transfer this risk with greater success.