Cyber insurance boomed in 2022, but coverage providers are questioning industry survival

2022 will be remembered in the IT and tech worlds as a year of ups and downs, boom and bust, hires and layoffs. It will also be remembered for a spike in ransomware attacks and a corresponding rise in cyber insurance premiums, as the realities of managing risk finally hit home.

A report from British security firm Panaseer reported that 82% of surveyed cyber insurance analysts expect prices to continue to rise for the next two years. The rise in premiums corresponds to a rise in ransomware attacks. US banks flagged ransomware transactions rising in 2021 to over $1.2 billion, up from less than $500 million a year before. That increased risk has inspired a search for answers from companies desperate to avoid a level of risk that has the potential to put them permanently in the red.

Mark Brown, global managing director of digital trust consulting at the British Standards Institution, told IT Brew that the growth in cyber insurance over the past decade is something people 20 years ago would barely have conceived of. But since 2013–2014, Brown has watched as the market has evolved. That change motivated the impulse to diffuse the risk of attacks at the lowest cost possible.

“Many organizations—unless they were being driven by regulation or sectoral license to actually put in place evidence-based cybersecurity programs—were saying, ‘Well, what’s cheaper? Is it cheaper to not fix the cybersecurity and just have a clause in an insurance policy for cyber disruption?’” Brown said.

Chill out. Some analysts say the market is finally cooling down. Insurance broker WTW’s Jason Krauss told the Wall Street Journal that premiums are finally leveling off, despite how it may look from the outside. “It’s amazing, right, that I would tell you that a 20% increase isn’t bad,” Krauss said. “But it’s seen as a good thing.”

In addition to the cost of beefing up security and restrictions on payouts, cyber insurance premiums have exploded. That’s due in part to the effects of the market—there’s a demand for a product that’s not in high supply. And more and more companies are simply ceasing to offer cyber insurance at all, based on the reasoning that the premiums just don’t make sense given the cost of potential payouts.

Insurance companies that are still offering coverage are starting to make further demands. Experts IT Brew consulted said that if you want to have the security cyber insurance provides, you’ll need to put some capital toward ensuring that you’re doing your part to stop the attack in the first place. The potential of companies getting lax with their own security efforts because of the potential relief provided by insurance is not a risk the insurance companies are willing to shoulder.

Cost boom. Companies may see cyber insurance as a safe hedge and consider slowing down spending on mitigation. There are a few reasons for that, Brown told IT Brew: speed of response, predictable versus unpredictable investment, and offloading of risk. It’s that concern that’s driving insurance companies to push for evidence of mitigation efforts before offering policies.

“When a company does get cyber insurance in place, the anecdotal evidence is that they will look at their cyber investment programs, and say, ‘We can probably decelerate a bit,’” Brown said.

SafeBreach CISO Avishai Avivi told IT Brew that customers are seeking higher coverage levels from insurers in order to transfer risk, a trend that has accelerated over the last year. With that boom in business has come a corresponding boom in payouts—and it’s leading insurers to implement certain conditions on offering the coverage. One such condition is that customers are less likely to get coverage payouts if they pay ransom and then ask for compensation. It’s a matter of assessing and managing risk for the insurers, Avivi said.

“If the data has been exfiltrated, that’s where those ransomware actors are going to be,” Avivi said. “Now, the challenge is that some cyber insurance companies will say, ‘You’re not allowed to pay ransom, if you pay ransom, your policy is null and void.’ And they won’t cover that ransom part.”—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected].