Cyber insurance providers are charging customers higher prices and asking them to jump through more hoops thanks to an explosion in ransomware attacks in the past year.
Cyber insurance premiums have gone up between 40% and 60% in the past year, by some industry estimates, while the policy guidelines and verifications needed to obtain such insurance have gone up significantly as providers try to protect their bottom lines.
“Costs of cyber insurance have spiked significantly, without a doubt,” said Brian Horton, the CEO of Breadcrumb Cybersecurity, a cybersecurity firm in California. “We’ve personally seen some policies go up 40%-60% in the past year.”
The changes to cyber insurance have made it more challenging for businesses to get covered at exactly the time when they need it the most, but cybersecurity firms say insurance is merely a backup and that prevention through stronger digital security is the real solution to ransomware attacks.
“The shift over the past year in cyber insurance in terms of verification they go through and prices they charge has gone up in orders of magnitude,” Horton said.
“Insurance companies are much more keen now to ensure that clients are doing what they can to mitigate risk of an attack on their own first before getting policy coverage,” Horton said.
The new “intensive” process, Horton said, organizations have to go through to get cyber insurance includes providing proof that an entity has control over their IT systems and servers, has a cybersecurity and antivirus system in place, and provides digital safety training for employees, such as how to use two-step authentication and other extra security steps.
The three key reasons for organizations to get insurance in the event of a cyberattack are losses caused by business interruption, ransomware payments, and the loss of sensitive company or customer data.
An important factor in cyber insurance costs going up, Horton said, is that businesses and organizations have traditionally been underinsured for ransomware attacks or didn’t have the right protection in the past.
Despite cyberattacks being a common problem in the past decade, it is only the recent series of massive attacks on the computer systems of the federal government, the Colonial Pipeline, and the meat producer JBS that have brought mainstream awareness to the need for increased cybersecurity and insurance, said Horton.
Cyber insurance companies say that they have been charging the wrong premiums for years and are only now course-correcting.
“The cyber insurance market has been severely underpriced for many years — at least since I started underwriting cyber nine years ago,” Ari Giller, the head of cyber underwriting at Tokio Marine HCC, an insurance company, toldInsurance Business magazine.
“To many, these price increases seem lofty because, in the past, the product line has been significantly underpriced for the exposure,” he said.
Another reason for cyber insurance costs going up is ransom demands from hackers have gone through the roof recently. The average ransom requested shot up from $15,000 to $175,000, an almost twelvefold increase, in the past five years, according to a ransomware analysis by NetDiligence, a cyber risk assessment company.
There were many notable ransomware incidents in 2020 that demanded more than $30 million, according to the ransomware report.
Cyber insurance companies are using multiple methods to mitigate costs because of the recent explosion in demand for their coverage, said Chuck Everette, the director of security at Deep Instinct, a cybersecurity startup.
“Some insurance companies are starting to backpedal and get out of their commitments, while others are asking for more security protections, more prerequisites to be in place, and some are charging higher prices, of course,” said Everette.