It would appear business executives are finally getting the message when it comes to appreciating the risks associated with cybersecurity. The cyber insurance market is booming. A report from CyberPolicy, an online cyber insurance marketplace, finds the number of cyber insurance policies being taken out increased on average 69 percent per quarter over the last year.'Nearly half (46%) of SMBs cited contractual requirements as being the main reason for buying cyber insurance.' ~@MVizardClick To Tweet
The primary drivers of that growth are two-fold. The first is the price of cyber insurance is falling as more customers seek it. The CyberPolicy report finds that in April of 2017, the average monthly premium for a $1 million limit policy was $271 per month. In June 2018, the same $1 million policy limit, but with more comprehensive coverage, went for only $77 per month. The report also notes first-time cyber insurance shoppers are on the rise among SMB owners, experiencing a quarterly growth of 34 percent over the last year. CyberPolicy customers are also requesting higher insurance limits, with 90 percent of small-to-medium businesses (SMBs) purchasing policies with coverage limits between $1 and $5 million.
The second big driver for cyber insurance has been contractual obligations. Nearly half (46%) of SMBs cited contractual requirements as being the main reason for buying cyber insurance.
While that’s all good news, organizations should also assume insurers are going to get a lot more aggressive about determining who is responsible for cybersecurity breaches. The insurance industry is in the processes of establishing more rigorous rules that organizations will comply with simultaneously lobbying governments to be able to, for example, share information about cybersecurity breaches between insurers to make those rules more consistent. A report published by Carnegie Endowment for International Peace calls for a more systematic approach to setting policies and rates.
But organizations should be wary of assuming any claim they make to come anywhere near covering the cost of a security breach. Cyber insurance policies only tend to cover lost profits. Any costs associated with penalties imposed by, for example, a regulatory agency are not covered. Organizations also need to be aware of what policies cover what types of breaches. The National Bank of Blacksburg in Virginia is suing Everest National Insurance Co. after the insurer refused to pay out a significant portion of the bank’s $2.4 million claim in the wake of two data breaches in 2016 and 2017. The insurer only offered $50,000 because it claims the breaches are not covered under National Bank’s computer and electronic crime insurance rider. Instead, the insurer concluded the breaches were covered under a debit card rider, which has a single-loss limit of $50,000.'When it comes to cyber insurance, organizations should also assume insurers are going to get a lot more aggressive about determining who is responsible for cybersecurity breaches.' @MVizardClick To Tweet
The concern is cyber insurance will create a false sense of financial security among business leaders who will tend to assume costs are covered in the event of a breach. They may even skimp on cybersecurity spending because the risk in their minds has been assumed by the insurer. The reality of the situation is likely to be quite different. As the number of claims that get made in the wake of continuing exponential increases of security breaches, chances are good insurers will resist making good on those claims. In fact, qualifying for insurance will most likely soon require organizations to invest more in cybersecurity. Human errors may even be grounds for not paying a claim. Insurance companies, after all, are in the business of making money. The best way for them to go about that is making sure organizations have a level of security in place that minimizes the number of claims they might ever have to make good on.
The fact of the matter is that when it comes to cyber insurance, there are lots of good, bad and ugly things to consider in almost equal measure.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.