Insurance providers have a much better understanding of the risks and costs of cyberattacks compared to a few years ago. However, they are still adjusting their offerings. It includes a growing interest in cyber insurance, which can be purchased independently or as an add-on to commercial property and general liability policies. The market also is examining ways to cover risk aggregations and large loss exposures. Before purchasing cyber insurance, companies should also take measures to prevent cyber attacks.
Costs
Like any other insurance policy, cyber coverage comes with a cost. The price of an organization’s premium will depend on the type and amount of coverage it selects. The premium will also include the policy’s deductible. Many organizations will save on premiums by bundling their cyber policies with other business insurance policies. For example, a small retail shop might have to pay for credit monitoring services for several years for customers affected by a data breach or invest in a public relations campaign to repair damage to the retailer’s reputation. Traditional general liability or commercial property policy might not cover these costs.
Moreover, the retailer might not be eligible for coverage under a cyber policy if it has been the victim of a previous cyber attack. Other factors affecting insurance premiums include a company’s size and annual revenue. Industries that store massive amounts of personal information, like healthcare and financial institutions, might be deemed high risk by insurers. And some types of attacks may be considered uninsurable, such as cyberattacks aimed at critical infrastructure. Companies like Fortinet have made it clear that avoiding paying large ransomware settlements is ideal, and security protocols should be put into place to prevent a breach. Still, it is sound advice to have cyber insurance as a backup in case of a breach.
Coverage
A good cyber insurance policy will cover the costs of defending and settling a cyber breach from an attack up to the loss of revenue that occurs as a result. It could include hiring a call center to respond to customer inquiries, public relations advice, IT forensic fees, and any legal costs that might arise. It is a very important policy to consider, as some breaches are not covered by other policies, such as property liability or directors’ and officers’ insurance. Various insurers offer cyber insurance, from large name-brand insurance companies with dedicated divisions to smaller companies focusing solely on this type of coverage. The underwriting standards may vary among the providers, but they all look for solid cyber risk management controls. They will also consider the industry sector in which the client operates, as some industries are more susceptible to certain cyber attacks. The overall market conditions for cyber insurance are stabilizing following a period of turbulence. While premium increases have slowed, capacity is still limited, and many carriers continue to restrict coverage for systemic risks. Furthermore, the market has been complicated by continued ransomware sprees and geopolitical events that have exacerbated threat levels and demand for cyber protection. Despite these challenges, the need for cyber insurance remains strong and is expected to grow even further in 2023.
Exclusions
Cyber insurance can cover many types of losses. However, several exclusions should be considered by clients. These can include coverage for loss of revenue and deductibles, loss of business opportunities, the impact on reputation and other indirect costs. In addition, cyber policies do not typically cover physical property damage or bodily injury. These are usually covered by different types of insurance, including commercial general liability and property. Insurers are working to reduce the impact of these exclusions by creating more tailored policies and encouraging clients to implement continuous control monitoring. It will allow insurers to understand a client’s security posture and adjust accordingly continuously.
Another area often excluded from cyber policies is fines and penalties for credit card breaches. It is because the policy would not protect third-party claims, which are usually covered by an errors and omissions (E&O) policy. As the market begins to normalize after two years of price increases and a decline in ransomware attacks, brokers will focus on improving their ability to offer a more holistic cyber insurance solution. For example, a client may be interested in purchasing coverage to offset the effect on their bottom line of regulatory fines and penalties that they could face following a breach. The same may also be true for a company seeking to expand its cyber limits or increase its self-insured retention.
Underwriting
The insurance industry matures in cyberspace, with underwriting practices becoming more stringent. Those who fail to meet cyber hygiene standards or otherwise misjudge risk will find that premiums increase and coverage is more restrictive. Some insurers have even dropped the business altogether, citing high costs and low demand. In addition to a higher price point, a cyber policy must cover the expenses associated with a cyberattack. It can include hiring a call center to handle customer inquiries, public relations advice, IT forensics and legal fees. It can also cover any resulting regulatory fines. Historically, commercial property and casualty policies included limited cyber coverage. But this type of coverage often leaves businesses exposed to unknown losses. Moreover, it’s not uncommon for a single cyber event to trigger multiple damages excluded by non-cyber policies. To combat this problem, some insurance companies offer stand-alone cyber policies rather than integrating them into larger packages.