The costs of cyber insurance policies are rising exponentially while underwriters are tightening the rules around who qualifies for cyber insurance, and at the same time, insurer capacity is constricting dramatically. The numbers are all over the place, but the latest statistics from the Council of Insurance Agents and Brokers reported a 25.5% increase in cyber insurance costs.
Not surprisingly, the rise in cyber insurance costs is mostly attributable to a tidal wave of ransomware damage claims hitting insurers over the past two years.
Larger organizations are absorbing most of this price increase, but they are also driving up the costs for coverage to smaller businesses by demanding higher payouts against their losses, according to Jim Goldman CEO and cofounder of Trava Security, which specializes in cyber risk management and insurance assessment automation.
“Up until two years ago, cyber insurance was incredibly cheap. Since then, the costs have doubled, tripled, then quadrupled while the actual level of coverage goes down,” says Goldman during our recent video interview.
FYI, Goldman’s a cybersecurity pioneer: In 1991, he was the first computer networking and security professor at Purdue University. Later, he led an FBI cybercrime task force, and was the business information security officer at Salesforce before co-founding Trava.
Policy Pricing for SMBs
As Goldman explains it, pricing cyber insurance policies is incredibly complex and hinges on many factors, starting with what business the company in. For example, a 50-person company with low liability may pay $2,000 to $3,000 a year for their policy. But now, with software supply chain risks so prominent, the same size company in software development (who is a Trava client), is paying $30,000 a year for its policy.
“We deal with a lot of software companies, and they need insurance against third-party liability, particularly from their open-source components because there’s been a high proliferation of lawsuits against software companies since the SolarWinds breach,” he explains.
This also gets down to what clients of cyber insurance should be looking at in their policies. Or, as Goldman says, SMBs need to hyper focus on “what’s not in their policies.” For example, third-party liability is a must for many of those SMB’s in the software or services business, but not usually offered in standard policies.
“SMBs offering software and services are more likely to have their customers seek indemnification for business disruption when the software and services they rely on are unavailable due to a ransomware attack,” he notes. “In the case of ransomware, the policy should also carry coverage for loss of business and additional liability or costs if their data is hijacked and made available on the dark web.”
Raising the Bar
Qualifying for cyber insurance has also become more difficult for SMB’s, who now need to meet difficult demands just to be considered for insurance by underwriters.
“Prequalifying questions used to boil down to five key indicators: Do you have multi factor? Do you have EDR on all endpoints? Is your data encrypted? And other basics,” Goldman explains. “Now, once you prove those five things, then you must fill out the 200-question application. And, if you still qualify, the broker will scan your systems to validate controls.”
He advises SMBs to find a trustworthy insurance broker who will help them learn what they don’t know but need to know about their cyber insurance policies and read their policy options carefully and look for what is not there. Also be prepared to participate in a data-driven risk policies (heavy on assessment) that could ultimately streamline costs for overall insurance rates.
Most importantly, he adds, keep your network in compliance with your policy rules to facilitate faster renewal and cheaper rates.