As the frequency and severity of ransomware, phishing, and denial of service attacks has increased, so has demand for cyber insurance. About $6.5 billion in direct written premiums were recorded in 2021, a 61% increase over the prior year, according to\u00a0an October 2022 memorandum\u00a0from the US-based National Association of Insurance Commissioners. \u201cSome companies see it as essential to their risk management strategy,\u201d says Heather Engel, managing partner at advisory firm Strategic Cyber Partners.However, experts say that cyber insurance might not be readily available to all who want it in 2023. Enterprise executives are finding that policy costs are rising, and insurers are asking for more proof that strong cybersecurity strategies are in place before agreeing to provide coverage. Many companies may have no choice but to meet such terms, as more organizations are requiring that their business partners have cyber coverage.Such market dynamics mean that CISOs now have a much bigger role in discussions about and procurement of their organization\u2019s cyber insurance policies. \u201cIt\u2019s a conversation that needs to be happening across the C-suite, with the CEO, risk management, and the CISO. They all need to be thinking about the risk management strategy writ large,\u201d says Tracy Wilkison, senior management director at FTI Consulting.How cyber insurance has changedEarly versions of cyber insurance policies date back to the late 1990s, although organizations then and through the early part of this century typically relied on more conventional insurance policies to cover cyber events. That changed around 2015, as more insurers started to offer standalone cyber insurance policies.Around the same time, some insurers started to argue that more general insurance policies shouldn\u2019t cover cyberattack losses. That message hit home after the 2017 NotPetya attacks when some claims were denied on the basis that cyberattacks initiated by bad actors allegedly backed by nation-states were to be considered acts of war and thus excluded under the existing policy language.Two notable legal cases followed.Merck & Co., the pharmaceutical company, sued its insurer after being denied coverage under its all-risk property insurance coverage for its reported $1.4 billion in losses. A New Jersey court judge in early 2022 ruled in Merck\u2019s favor.In the second case, the multinational food and beverage company Mondelez International sued its insurer after having a claim denied following a 2017 attack. It settled with its insurer, Zurich American Insurance, in 2022.Such insurer actions combined with the growing volume of successful cyberattacks and increasing resultant costs have fueled a growing interest in standalone cyber insurance policies, says Alla Valente, a senior analyst with Forrester Research. Yet that interest comes as insurance is becoming harder to obtain, she says. Several years ago, organizations that wanted coverage could generally get a policy with relative ease. \u201cBut then the pandemic hit, and not only were insurers getting lots of business disruption claims, they were also seeing a significant increase in cyberattacks,\u201d she says.Moreover, Valente says insurers around that time were seeing that cyber incidents, their fallout, and the recovery costs were much harder to predict than real-world events about which they had long histories of actuarial data. \u201cFor example, if a business is interrupted by a flood, they\u2019re going to see certain losses and there are predictable parameters\u2014it\u2019s a contained event, happening in a certain locality,\u201d Valente says.\u201cBut that\u2019s not how cyber events work; events can be widespread. In this ecosystem of relationships that every organization now has, [an attack] is like a disease where it starts in one place and can spread very, very quickly. So, if one company is a victim of a cyberattack, everyone they do business with can be impacted.\u201dObtaining cyber insurance means meeting increasing requirementsInsurance provider Hiscox surveyed 5,181 companies of varying sizes and sectors in eight countries for its 2022 Cyber Readiness Report and found that 64% had cyber insurance either as a standalone policy or part of another policy, up from 58% two years earlier.The Hiscox survey also found that the percentage of companies reporting a cyberattack in the prior 12 months increased year-over-year: 48% in 2022 compared to 43% in 2021. The median cost of an attack also rose 29% to just under $17,000. And 20% of companies that suffered an attack said their solvency was threatened, an increase of 24% from the prior year.Meanwhile, Delinea, which makes privileged access management software, in November published a cyber insurance report based on a survey of 300 US-based IT decision-makers that found 80% of companies with cyber insurance have had to use their policies and more than half of those have used it multiple times.Insurers have responded to the increasing number of claims and costs by requiring organizations to have robust security controls and to demonstrate that those controls are working. \u201cYou used to fill out a basic questionnaire and you could get a policy. But that has changed over the past several years,\u201d Engel says. \u201cNow insurers require more controls such as multi-factor authentication (MFA) or you either won\u2019t get a policy or won\u2019t get complete coverage. And now companies are being asked to provide incident response plans.\u201dCyber insurers asking for more from applicantsSecurity advisors and consultants say they see insurers asking more questions of those seeking insurance policies. They\u2019re requiring proof that applicants have achieved certain levels of security hardening, such as SOC 2 compliance. They\u2019re reviewing security strategies and policies as well as security training and awareness programs. \u201cInsurance companies are taking a closer look at all of those,\u201d Wilkison says.This in turn has required more involvement from enterprise security leaders in the insurance procurement process. \u201cWhat CISOs are seeing is that they\u2019re going to have to be more involved in showing their readiness levels,\u201d Wilkison says. CISOs may also have to make adjustments to their strategies based on insurer demands.\u201cIf you want to get your claim, you usually have to use their panel of vendors or follow their procedures,\u201d says Michael Pisano, a managing director at global consulting firm Protiviti. For example, they will be required to have detailed response and recovery plans in place\u2014in the event of an incident, insurers want clients to meet specific requirements, such as which lawyers should be used and what forensics should be performed, and by whom. As a result, he says CISOs need to understand those requirements and incorporate them into their playbooks.Even then, there is no guarantee that insurers will cover the losses, experts warn, requiring organizations to prove that their security teams followed through on all plans and continuously maintained the security levels they described when getting their policies.Valente points to a 2022 case filed in an Illinois federal court by Travelers Property Casualty Company of America against International Control Services. Travelers Insurance asked the court to allow it to rescind a policy it issued to ICS, saying it shouldn\u2019t have to pay ICS\u2019s ransomware claim because ICS allegedly misrepresented its use of MFA. \u201cSo, if something lapses, your company could be on the hook for more [of the incident response costs] or it could mean the policy is null and void,\u201d Valente says.Companies rethink cyber insurance approaches as costs increaseThese dynamics mean that executives are not only seeing more stringent requirements to obtain cyber policies, they\u2019re also seeing the costs of those policies climb. As Wilkison explains: \u201cThere\u2019s a huge increase in ransomware attacks and other types of attacks and that means insurance companies are paying out a lot more in ransomware and breach costs, so they\u2019re increasing prices. Prices have really skyrocketed.\u201dSome 75% of those surveyed for the Delinea report said they saw their premiums increase the last time that they renewed their policies. At the same time, experts say policies vary in their coverage. The Delinea report found that only about 30% of organizations had policies covering ransomware, ransom negotiations, and decisions on ransom payment. Only 48% said their policies cover data recovery, and about a third said their policies cover response, regulatory fines, and third-party damages.Given the rising costs and limitations on coverage, some organizations are evaluating their options. As Engel says: \u201cIt begs the question if the policy is worth what you\u2019re paying for it, and that\u2019s something only the company itself can answer.\u201dIs cyber insurance worth it in the long run?Of course, insurance policies can help organizations recover following a successful attack and can help reduce risk. They can allow organizations to compete and earn business, as many organizations now require it from their vendors and partners.Even so, some organizations are finding that they can\u2019t justify paying the premiums, even if it might cost them business opportunities; some\u2014particularly small and medium-sized enterprises\u2014are finding that they can\u2019t meet all the controls that insurers now require before issuing coverage. Still others are deciding they\u2019re better off investing more in their security programs rather than in insurance.\u201cI have some clients\u2014and they tend to be larger\u2014who have looked at costs of cyber liability as costs have gone up, and the benefits and the drawbacks, and they\u2019ve decided it\u2019s not worth the coverage. They\u2019re taking the money they would have paid into the policy and setting it aside and they\u2019re saying they\u2019re going to just deal with it in-house,\u201d Engel says. \u201cThat\u2019s not the solution for everybody; it\u2019s not for those who don\u2019t have tools to identify when a breach is happening and who can\u2019t do the investigative work. But for companies with that depth or the ability to outsource it, that\u2019s something they\u2019re starting to take a look at.\u201dNot surprisingly, CISOs and other executives don\u2019t publicly discuss such deliberations or their policies, noting that they don\u2019t want to create any incentives for hackers to attack them by disclosing whether or what they have for cyber coverage. But experts confirm that those discussions are increasingly happening.And they confirm that in those cases, CISOs are being called to work with risk, legal, and other executives to evaluate their organization's cybersecurity postures, articulate the threat landscape, quantify risks and make recommendations on the best path forward, Pisano says.\u201cYou have a decision to make as a business what you can afford. It\u2019s a cost-benefit analysis,\u201d he adds.