6 Reasons Cyber Insurance Prices Are on the Rise

What’s happening today in the cyber insurance market is comparable to what happens to property insurance in a region that experiences a major hurricane or devastating flood. Not only are your company’s premiums increasing; oftentimes, insurers are scrutinizing your overall risk preparedness as part of their renewal process. 

In the first part of this two-part series, we’ll examine why cybersecurity insurance premiums have skyrocketed. In the second part, we’ll provide practical recommendations that you can follow to manage cybersecurity risk, which will help you address the escalating costs.

6 Reasons Cyber Insurance Costs Are on the Rise

As with many business trends we’ve experienced in the past couple years, a variety of competing factors have converged to spur the substantial increase in cyber insurance premiums. In fact, median excess insurance prices increased by 123% in 2021, when compared with 2020.

Six key factors driving these changes are outlined below. 

Growing Demand for Cyber Insurance 

Cyber is a relatively new form of risk management, with its roots dating back to the early parts of this century. At the time, cyber insurance was an affordable commodity, purchased by a small subset of companies. Since then, demand has surged, which has dramatically impacted pricing for insurance premiums.

According to recent research by cybersecurity firm Sophos, cyber insurance purchase rates have increased significantly over the past few years. The survey found that the five industries with the highest level of cyber insurance coverage included the following:

• Energy/Oil/Gas and Utilities: 88% 
• Media/Leisure/Entertainment: 88%
• Business/ Professional Services: 87% 
• IT/Technology/Telecoms: 87% 
• Financial Services: 86% 

Even public sector organizations, which had the lowest cyber insurance purchase rates in the report, showed a significant coverage rate at 72%. 

Increasing Loss Ratios for Cyber Insurers

While customer demand has been surging for cyber insurance, cyber insurers’ payouts are also increasing. Loss ratios, which are typically defined as the ratio of claims paid by a cyber insurer compared to the amount of premiums collected during a one-year period, soared by 25% in 2020 to 72.8%, according to S & P Global. 

Let’s reflect on that 72.8% figure for a moment: For every dollar that was collected in cyber insurance premiums in 2020, roughly 73 cents were paid out in claims. In addition, the report found that the average paid loss for a cyber insurance claim rose to $358,000 in 2020, compared to just $145,000 the year before. 

Large Payouts from Ransomware Attacks 

No cyber risk factor has had a bigger impact on premiums than the explosion of ransomware attacks. To put this into perspective, the average ransomware payment soared to $570,000 in 2021, compared to $312,000 in 2020, according to a report published by GRC World Forums. 

In addition to ransomware payments, the average downtime from ransomware attacks increased by a full week (from 15 days in Q1 2020 to 22 days in Q3 2021), based on research by Statista. The lengthy downtime and negative reputational impact that result from high-profile ransomware attacks can also cause insurers to view affected companies as poor business risks. 

Even large companies with established funding sources can have productivity ground to a halt by ransomware attacks. Brazilian meat processing company JBS experienced a ransomware attack from May 30 through June 2, 2021 that shut down several of its Australian, Canadian, and US facilities. Ultimately, an astonishing $11 million Bitcoin-funded ransomware payment enabled the company to resume normal operations. 

Inability to Manage Supply Chain Partner Risk  

The global supply chain network has been under considerable strain since the global pandemic began in March 2020. This has helped to fuel ransomware attacks and increase cyber risk in general. As companies renew their insurance policies, insurers are examining their supply chain networks much more closely to validate that effective upstream and downstream security procedures are in place. 

Supply chain security has real world impact. You may recall the April 2021 ransomware attack on Quanta Computer Inc., a key supplier to Apple. Ransomware group REvil initially demanded $50 million from Quanta to prevent the release of stolen Apple product blueprints before going directly to Apple to seek the ransom.

Ineffective Cybersecurity Hygiene 

Ineffective cybersecurity hygiene has a major impact on cyber insurance rates. With the ongoing IT Security labor shortage, (ISC)2 reported 2.72 million unfilled cybersecurity job openings in October 2021,  which was surprisingly an improvement of 400,000 openings from the year before. 

The staffing shortage has resulted in a plethora of unpatched, high-severity security vulnerabilities, and the Time to Fix for high-severity vulnerabilities has ballooned to 256 days, according to NTT. Reflecting on that timeframe, if a high-severity vulnerability appears on April 1, 2022, it won’t be patched, on average, until approximately December 13, 2022. During that entire time period, the company remains vulnerable to a potential attack, so cyber insurers need to price that exposure into their policies. 

Work from Home Exposure 

Insider threats and endpoint security procedures are harder to enforce in today’s work-from-home environment. Furthermore, cybersecurity preparedness training can be difficult to administer and police in a remote work model. And, depending on the user’s work environment, it can be nearly impossible to safeguard trade secrets from a home office. These factors result in higher risk for remote work than for traditional office settings, where network activity and site access can be controlled much more stringently. 

Reduce Cybersecurity Risk to Keep Premiums Manageable 

Although no cybersecurity protection approach constitutes a silver bullet, a combination of best practices can be followed to keep your cyber insurance rate increases reasonable. The second part of this series, which is coming soon, will provide you with best practices that enable you to address the issues outlined here.

‍