Cyber Liability Insurance – The Basics

Cyber insurance, also commonly known as cyber risk insurance and cyber liability insurance, protects you from the impact of cybercrime (though not from the crime itself). Broadly speaking, there are three main benefits to having cyber insurance:

  1. Financial. The insurance covers costs in the event of a cyber incident
  2. Operational. The insurance team provides immediate access to experts in the event of an incident, including IT forensics specialists, privacy lawyers, and PR pros
  3. Peace of mind. Having cyber insurance gives confidence to your customers, partners, suppliers, and employees that you are prepared and covered should a cyber incident strike

While cyber insurance claims can be triggered by a wide range of incidents, the most frequent cause of claims according to NetDiligence’s Cyber Claims Study 2020 are four common threats: ransomware, social engineering, hackers, and business email compromise (BEC)

What cyber insurance covers

Cyber insurance covers the costs incurred as a result of a cyberattack. While individual policies vary, they typically cover:

  • Forensic analysis to identify the attack source
  • Ransom demands and specialists to handle ransom negotiations
  • Costs to regain access or restore your data from backups or other sources
  • Legal costs
  • Public relations services
  • Notification of clients and/or regulatory bodies
  • Credit monitoring services for affected individuals

When sourcing policies and comparing costs, it’s worth noting that the costs of business interruption, such as loss of income or additional costs of work due to the cyberattack, are included in some policies, but not others.

In the event of a cyber incident, the insurance provider will step in and provide experts to help deal with the situation. For a ransomware attack, they will typically:

  • Appoint a consultant to advise on the handling and negotiation of the ransom demand
  • Bring in the necessary experts to deal with the issue
  • Identify the lowest cost way to restore the data (ransom payment, backups etc.)
First Party Coverage

First-party coverage is direct costs associated with the response to the attack, for example legal fees, forensic fees, customer notification fees, PR fees, and so on.

Third Party Coverage

Third-party coverage is primarily costs associated with lawsuits.

The prevalence of cyber insurance

Overall, 92% of all respondents said that their organization currently has some level of cyber insurance coverage in place. 83% of respondents have cyber insurance that covers ransomware, although 41% of them (34% of all respondents) say there are exceptions and exclusions in their ransomware coverage.

Cyber insurance adoption has increased over the last two years: in our 2020 survey (which reflected organizations’ experiences in 2019) 84% of the 5,000 respondents said their organization had cyber insurance and only 64% had cyber insurance that covered ransomware1.

On a per-country basis, European countries top the cyber insurance coverage chart this time round with respondents in the Czech Republic (99%), Sweden and Belgium (both 98%) most likely to report that their organization has coverage. Hungary reported the lowest level of cyber insurance coverage (82%) while Israel has the lowest rate of coverage against ransomware (66%).

At a sector level, the energy, oil/gas and utilities sector has both the joint highest level of cyber insurance coverage (96%), together with retail, and the highest level of coverage against ransomware (89%). This is unsurprising given that this sector is a major target for attacks (for example, the Colonial Pipeline ransomware incident of 2021), and also has high levels of legacy infrastructure that is often hard to keep up to date, increasing exposure to attack.

At the other end of the scale, manufacturing and production has both the lowest level of cyber insurance coverage (86%) and the lowest level of coverage against ransomware (75%).

This high overall rate of cyber insurance coverage is understandable given the growing cyber threat challenge facing IT teams: over the last year 57% of respondents experienced an increase in the volume of cyberattacks on their organization, 59% saw the complexity of attacks increase, and 53% said the impact of attacks had increased.

Ransomware is the number one driver of cyber insurance claims2 and over the last year there was a 78% increase in the percentage of organizations that experienced an attack: up from 37% in 2020 to 66% in 2021. As adversaries have become more capable at executing attacks at scale it follows that demand for cyber insurance has also increased.

Ransomware experience drives ransomware cyber insurance coverage

Organizations hit by ransomware in the last year are much more likely to have cyber insurance that covers them against ransomware than those that avoided falling victim to an attack. Among those that were hit, 89% have cyber insurance that covers ransomware compared with 70% of those not hit.

The cause-and-effect is not clear here. It may be that direct experience of a ransomware incident has driven many organizations to take out insurance to help mitigate the impact of future attacks. Alternatively, adversaries may target their attacks on organizations that they know have insurance coverage to increase their chances of a ransom pay out.

Another option is that some organizations took out coverage to balance known weaknesses in their defenses. The reality is likely a combination of all three.

It’s worth noting that a prior claim can make securing new or renewed coverage more difficult without a significant investment in a changed approach to cybersecurity as insurers look to reduce the risk of a major payout.

Rising Ransomware

As previously noted, many organizations have exceptions or exclusions to their ransomware coverage. For example, should an organization choose not to include having the provider pay the ransom component of a ransomware attack, that will often bring down the overall price of coverage. When evaluating what to include in a policy, it’s helpful to understand the reality of ransom payments today.

965 respondents whose organization paid the ransom shared the exact amount, revealing that average ransom payments have increased considerably over the last year. However, there is considerable variation in ransom payment by country and/or sector.

Overall, over the last year there has been an almost threefold increase in the proportion of victims paying ransoms of US$1 million or more: up from 4% in 2020 to 11% in 2021. In parallel, the percentage paying less than US$10,000 dropped from one in three (34%) in 2020 to one in five (21%) in 2021.

Globally, the average ransom payment came in at US$812,360, a 4.8X increase from the 2020 average of US$170K (based on 282 respondents). While this headline sum is influenced by 15 eight-digit payments, it’s clear from the data that ransoms are trending upwards across the board.

There is considerable sector variation, with adversaries extracting the highest sums from those they consider most able to pay:

  • HIGHEST average ransom payments were US$2.04M in manufacturing and production (n=38) and US$2.03M in energy, oil/gas and utilities (n=91)
  • LOWEST average ransom payments were US$197K in healthcare (n=83) and US$214K in local/state government (n=20 – note: this is a low base numbers)

Major changes to organizations’ experience of getting cyber insurance over the last 12 months

94% of those with cyber insurance said the process for securing coverage had changed over the last year.

  • 54% say the level of cybersecurity they need to qualify is now higher
  • 47% say policies are now more complex
  • 40% say fewer companies offer cyber insurance
  • 37% say the process takes longer
  • 34% say it is more expensive

Collectively, these findings illustrate the profound impact the recent hardening of the cyber insurance market has had on organizations looking to secure coverage. What’s more, in light of the rising cyber threats and ransom payments revealed by the study, we anticipate the challenges will continue throughout 2022.

Fewer insurers are writing policies

40% of respondents said there are fewer companies now offering cyber insurance. This reduction in supply is in response to the heavy losses many providers have experienced in recent years. Illustrating this point, in November 2021 it was reported that Lloyds of London, which underwrites around one-fifth of the global cyber insurance market, had discouraged its members from taking on cyber business in 2022 due to mounting losses.

This reduction in cyber insurance provision was particularly severe in Sweden, Nigeria, Chile, the Czech Republic, Australia and the Philippines where more than half of the respondents indicated the number of providers had dropped. At the other end of the scale, reports of reduced availability were lowest in Brazil (24%), Mexico (29%) and France (29%), however, this still represent a notable drop of insurance outlets on the prior 12 months.

Higher cyber controls are needed to qualify for coverage

With reduced supply, cyber insurance has become a sellers’ market, with providers in a much stronger position to stipulate policy conditions and pre-requisites for coverage. Consequently, over half of the respondents (54%) said the level of cybersecurity needed to qualify for coverage has increased over the last year.

Organizations applying for new and renewal policies in 2022 are often faced with a new normal: If you want to qualify for cyber insurance, you will need stronger cyber defenses. Common cyber controls required/desired to secure coverage, according to leading brokers Marsh McLennan Agency and Hub, include multi-factor authentication (MFA), endpoint detection and response (EDR), email security, web controls and more.

Coverage is more expensive.

Another consequence of both the reduced market capacity and heavy insurer losses has been an increase in the cost of cyber insurance. One third of respondents said that the price of coverage had gone up over the last year. However, given that the major cyber insurance price rises began in the second and third quarters of 20214, it’s likely that many of the respondents hadn’t experienced the impact of this change at the time of the research. Organizations looking to take out a policy in 2022 should adjust their budgets accordingly.

Coverage is more difficult to secure.

Not only is coverage more expensive, it is also often harder to secure. Almost half of the respondents (47%) reported that policies are now more complex. Possible examples include an increase in sub-limits, i.e., maximum payouts for different types of costs, or more detailed and/or extensive exclusions.

In addition, over one third (37%) report that it now takes longer to secure the policy. This is likely due to a combination of the more stringent cyber controls that are in place and the reduced supply.

Organizations looking to secure a policy this year would do well to act early: by doing so you give your organization the best chance of getting coverage while there is still available capacity and also having the time needed to negotiate your policy fully.

Conclusion.

Observers of the cyber insurance market likely will agree that the changes over the past 12 months have been astonishing. While most organizations have some form of cyber insurance, the vast majority of survey respondents have experienced a change in their experience of securing coverage over the last year, including higher premiums and more stringent cyber controls.

Qualifying for cyber insurance today requires a concerted effort to do all you can to reduce your risk profile. Those who get the best terms, rates and limits will be those who pose the least risk to the underwriters. If you want to obtain cyber insurance in 2022 you should have in place strong technological defenses combined with educated and trained users, plus up-to-date procedures.

With some providers leaving the market, getting your organization’s cybersecurity defenses in place and submitting your application early could help you obtain a policy before the supply runs out. If you have questions about what your insurance provider requires, bringing them into the conversation sooner rather than later could help you direct your cybersecurity investments to meet the criteria they are setting to qualify for coverage.

The good news is that cyber insurance firms have diligently been holding to their side of the agreement, with a 98% payout rate on cyber insurance claims reported by survey respondents.

Suggested next steps: View the on-demand videos or the solution to optimizing your cyber insurance position by clicking either of the links below.