Buying cyber insurance in 2021? Expect greater scrutiny, higher premiums

Increased frequency of cyberattacks and growing associated costs could mean higher premiums, tighter risk assessments, and changes in coverage this year.

CSO > Invalidated cyber insurance
jauhari1 / Getty Images

Organizations will face significant challenges in purchasing, renewing, and benefitting from cyber insurance policies this year as various factors drive the sector towards a stricter, more specialized position, global specialists in law, risk, and cybersecurity predict. These include the continued evolution and impact of cyberthreats throughout 2020 and the early months of 2021, chiefly in the form of ransomware attacks and wide-ranging supply chain security issues.

As a result, insurers are likely to carry out enhanced cybersecurity risk analysis of companies seeking to purchase or renew policies this year with increased premiums, stricter indemnity limitations, refusals to fully pay out on claims, and denial of coverage possible ramifications for organizations. “The cyber insurance market is tightening, with insurance providers demanding more from policyholders before issuing a policy or renewing one,” Jack Kudale, founder and CEO of Cowbell Cyber, a US-based provider of AI-powered cyber insurance, tells CSO.

Sean Cordero, security advisor at Netenrich, concurs, adding that, for the first time, insurers will request new evidence and validation from their policyholders to prove their cybersecurity adequacy and minimize their exposure. “Each new request for coverage will have increased scrutiny…. For organizations seeking to obtain or maintain coverage, the difficulty of getting sufficient coverage will increase due to greater scrutiny of the insured security practices and exposure during the underwriting process.”

While Kudale argues that a more detailed assessment of a company’s insurable risk profile should be a welcome evolution, he admits “we are currently seeing traditional carriers in some cases doubling the premium, reducing the limits in half or simply unwilling to renew certain industry classes in order to maintain their aggregated risk.” 

How cyberthreats affect cyber insurance

The last year has seen not only a continued slew of cyberthreats impacting organizations of varying sizes, but also the evolution of specific attack trends and techniques. These notably manifested in the growth of multi-extortion attacks, whereby cybercriminals not only encrypt an organization’s data and hold it for ransom, but also copy and threaten to release it to the public, thus raising the stakes. In doing so, they can request double the ransom for the unlocking and then deletion of the information, all the while holding the ace that, even if they are paid, they could just release the data anyway. This means that ransomware attacks are becoming more difficult to predict and more expensive to recover from. That’s having a significant knock-on effect on cyber insurance.

“A rampant increase in ransomware will continue to tighten the industry further,” says Kudale. “We are also seeing supply chain risk becoming a much bigger peril, as seen in the recent SolarWinds hack and Microsoft Exchange Server attack. Due to the wave of ransomware attacks in 2020, cybercrime and other threats, policyholders should expect to be asked more questions at renewal.”

The cyber insurance waters are indeed becoming murkier, with evidence of cybercriminals intentionally targeting victims that have policies in place under the assumption that they are financially covered in the event of a ransomware incident, and so they are more likely to turn a quick profit from an attack. This is something that insurers are becoming more wary of.

“Cyber insurance providers are increasingly concerned about the levels of cyberattacks which are growing at an alarming rate,” adds Sanjiv Cherian, head of business development – global cybersecurity at A&O IT Group. “They will inevitably hike the premiums since they are aware of the risks that will be transferred to them from insureds. The analysts of these insurance providers will rework their pre-set algorithms to place ancillary restrictions on the coverage limit and add granular clauses encompassing scenario-based incidents.”

Approach cyber insurance with care in 2021

Organizations seeking cyber insurance this year should procced with caution, experts advise, giving careful consideration to a number of factors to help make the process as efficient as possible.

First, as insurers demand more detailed cybersecurity information on and become more selective over the companies they cover and how, organizations should prepare for the greater scrutiny they will face. “There are fundamentals that organizations should have in place prior to seeking insurance,” says Kudale.

“Prepare for the increased level of review from your provider and partner with them to address identified areas of exposure,” adds Cordero. “Suppose you’re dealing with a cyber insurance provider that only required self-attestations as their primary method of determining coverage eligibility and pricing. In that case, you could see disruption in your processes for obtaining or maintaining coverage later this year” if they have evolved their models and capabilities for calculating risk.

Furthermore, while some insurers in this space are adept at handling claims and acting responsibly, others are not so experienced, says Jonathan Armstrong, tech and compliance lawyer and partner at Cordery. “Organizations therefore have to be very careful to make sure that they pick an insurer who is going to help them and who has relevant experience in this area.”

In this regard, Cordero recommends considering the “new generation” of cyber insurance providers coming to the market. “These new companies are getting on the boat with you and are as interested [as you] in reducing the impact and cost of a breach. It’s good for your business, and it’s excellent for theirs,” he says, adding that more options, coverage upkeep and validation capabilities incentivize strong security practices and controls.

It can also prove valuable to use the services of a reputable broker with knowledge in the space to help in the insurer selection and management process, Rick Betterley, president of Betterley Risk Consultants and author of The Betterley Report, tells CSO. “Make sure your broker is handling the messaging effectively.” He recommends that you be involved in that messaging and ensure that your broker has in-house cyber broking talent working on your behalf. “If they don’t and you are a smaller insured, make sure your broker is using a cyber-specialized wholesale broker to assist them. Don’t accept ‘oh, the cyber market is terrible for everyone’ when presented with an ugly renewal (or nonrenewal). It’s terrible for some, but good risks that are well represented are being treated fairly.”

As the cyber insurance market matures, policies are increasingly being made available in varying modules by different providers, each of which can address specific scenarios in the case of a data breach, says Cherian. “While one policy covers forensic expenses, another only deals with liabilities issues with third parties, and so on. Most of these policies get written with many exclusions.” Consider each exclusion carefully and ensure all concerns are covered before purchase, he advises.

Businesses also need to assess how the company might respond in the event of a claim, Armstrong adds. For example, does the policy allow for the appointing of lawyers of the policy holder’s choosing or do the insurers reserve the right to make decisions over whether a ransom is paid? “Increasingly, we are hearing of insurers paying ransoms, sometimes against the company’s wishes. This could lead to bigger outlay for the company especially if a regulator finds out or the ransomware gang attacks again.”

A standardized, specialized cyber insurance industry

While organizations have important new cyber insurance issues and potential hurdles to address this year, the changes outlined have the potential to lead the cyber insurance sector to a more specialized destination, which could be to the benefit of both insurers and organizations. “As the cyber insurance market matures, there is an increased need for standardization—from applications, to risk assessment and coverages,” says Kudale. “There is a welcome evolution to the cyber insurance market where organizations seeking cover need to provide more detailed information about their digital footprint than a few years ago.

“Every stakeholder—policyholders, agents, insurers and reinsurers—benefits from the additional transparency, the deeper understanding of underwritten risks and the ability to actually advise businesses on cyber risk beyond the policy contract,” Kudale adds.

For Cordero, the shifts in the cyber insurance landscape could help to create a more dedicated, focused market. Some insurers could exit the market if they are unable to support their underwriting and claims processes. The changing market might be an accelerator for other insurance providers who have invested in models and technologies that increase confidence in their predictions and underwriting. “I hope that this change leads to increased options for coverage to the organizations controlling their exposure and risk well,” he says.

Ultimately, the sea of cyber insurance looks to be somewhat choppy for businesses this year. While moves to a more specialized and standardized cyber insurance sector may well bring clear beneficial outcomes, organizations will certainly need do their due diligence to ensure they get the cover they need on the terms, conditions and at the cost that is right for them.

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline