As cybersecurity insurance premiums rise, what can businesses do to cope?
Step one is to make necessary investments to firm up protection from attack
Few threats to the business community are as rapidly increasing and evolving as that of cyberattacks. One day it’s ransomware or social engineering, the next it’s phishing, hacking or patch problems. In the past, the silver lining for businesses tackling this issue has been cyber insurance, providing a level of financial protection from a mostly invisible enemy. But technology is constantly changing, and new challenges are emerging in the market for this coverage.
While the market for cyber insurance was slow to evolve, a large number of businesses in recent years made the responsible decision to protect themselves from potential catastrophic losses. According to the National Association of Insurance Commissioners (NAIC), insurers wrote approximately $4.1 billion in cyber premium in the United States in 2020, with $2.75 billion in direct written premiums by domestically domiciled insurers, the latest year for which figures are available.
Globally, the data company Statista estimates that cyber liability accounted for $8 billion in premium in 2020 and could grow to more than $20 billion by 2025.
From our department’s involvement on the NAIC’s Cybersecurity Working Group, it is encouraging to see a large, competitive market that ensures that businesses have access to the protections they need. However, whether that trend continues will depend on premium affordability – and there is some current distress in the market, along with signs that point to significant challenges in the coming years.
Not long ago, insurers were swarming into the cyber insurance market and laboring to persuade businesses that this was an essential coverage that could be purchased at affordable rates.
Now, because of the constantly evolving and complex nature of cyberattacks compounded by the ever-increasing connectivity of our devices, along with the Russian invasion of Ukraine, an uptick in nation state cyberthreat activity, and swelling claims, the industry is struggling. The potential for simultaneous losses across many policyholders is a serious threat. With increasing regularity, we are seeing market contraction, sharply increasing premiums, shrinking capacity as some carriers jump out of the market, and underwriters insisting on strict risk controls before writing a policy.
So how can insurers and businesses face these challenges and ensure a vibrant marketplace into the future? The key is for both sides to appreciate their shared responsibility.
It is critical for businesses to make necessary investments in their technology, training and expertise to ensure a mastery of cybersecurity basics. Strong controls should be put into place, such as regular awareness training, ensuring safe VPN connections, and multifactor authentication. While insurers do not typically scrutinize specific technologies, they do want to understand how a business crafts risk management strategies using existing technology and internal standards.
When a cyber incident occurs, it needs to be addressed urgently, and businesses must engage their approved cybersecurity vendors immediately after the breach — regardless of the time or day of the week. A businesses’ risk manager is a critical for any organization and needs to be prepared to address the threats and ensure that internal and external resources are ready to respond.
By making these investments and formulating internal cybersecurity protection strategies that can move at a moment’s notice, the business community can help keep cyber insurance rates in check.
Similarly, insurance carriers must ensure that their underwriters are gaining the appropriate experience and confidence in pricing coverage to increased competition and are drawing new entrants into the market, which will produce premium moderation. They must update their actuarial models, some of which are based on underwriting data from the last decade, to evaluate how relevant the information is moving forward – especially given the increased protections the business community is undertaking. They also must find strategies to control their losses through limits, deductibles, and reinsurance.
Finally, there must be a recognition in the insurance industry that our state and national economy will be hobbled if businesses are unable to access the products that they need to protect themselves. While reforming these products is necessary, exiting the market entirely for this coverage is not in the best economic interest of the country.
In partnership, the business community and insurance sector can take critical steps together that ensures that the cyber insurance market not only stabilizes from an affordability perspective but thrives into the future.
While having insurance is common sense for any business, it does not absolve a business from its own responsibility. After all, having dental insurance does not negate your responsibility to brush and floss your teeth. Likewise, cyber insurance is not a replacement for basic cyber hygiene.
Christopher Nicolopoulos of Bow is the commissioner of the NH Hampshire Department of Insurance, and D.J. Bettencourt of Salem is the agency’s deputy commissioner.