Who is this blog for?
This blog post is for business owners and IT professionals in SMB and Mid-Market companies wanting to know more about what it means to be insured for cyber security risks, and the limitations of cyber insurance itself.
Cybercrime can be a complex and challenging topic, but it’s important to understand the risks and how to protect your business. This blog discusses the importance of cyber insurance for SMBs and how the evolving threat landscape impacts insurance decisions. It also provides best practice cyber security guidance, so that your business is not only better protected, but more likely to meet insurers’ requirements.
We’ve researched the latest trends and spoken to leading experts in the field to help make sense of the conflicting advice that is out there. Keep reading to find out more.
Read time: 8 minutes
Cyber insurance has emerged as a beacon of hope for many businesses seeking refuge from the ever-increasing threat of digital attacks. However, this supposed safety net is riddled with inherent limitations, leaving many organisations unknowingly vulnerable to the full force of cyber-assaults.
In the past, effective cyber security protection has been seen as a complicated and expensive luxury reserved for large organisations. But now, as the cyber insurance market continues to be in a state of flux, tools are available that are affordable to all businesses, regardless of size.
While cyber insurance can provide financial relief in the aftermath of a breach, it should never be viewed as a substitute for robust cyber security practices. Instead, it should serve as a complementary measure, adding an extra layer of protection to an already well-fortified digital estate.
The Reality of Cybercrime
The reality is that many businesses are still not taking their cyber security seriously enough. Many smaller businesses are of the mindset that cybercrime is only a real threat to bigger companies, or that it is simply just too expensive to put real cyber security measures in place.
Unfortunately, the truth is that cyber criminals target businesses that will yield quick and easy results. Businesses that have not invested in protecting themselves properly and have not implemented the basics become the ideal target.
Additionally, small and medium sized businesses which may lack adequate protection are becoming easier to identify with the use of AI (Artificial Intelligence). Unprotected environments are quickly identified and exploited by competent cyber criminals.
Insurance Policies Are Shaping Cyber Security Strategies
Sophos, a leader in cyber security and endpoint protection for SMBs, has recently published their annual study of IT professionals on the front lines of cyber security. The report reveals how IT professionals’ experiences with obtaining cyber insurance have changed in the past year. It also examines the impact of cyber insurance on businesses’ cyber security defences.
Driven by ransomware, which is a major factor in both cyber insurance purchases and claims, the study also sheds light on the frequency of cyber insurance payouts in the event of an attack and the types of costs covered – including the frequency of ransom payments made by insurers.
‘Ransomware is the number one driver of cyber insurance claims and over the last year there was a 78% increase in the percentage of organizations that experienced an attack: up from 37% in 2020 to 66% in 2021.’
As the cyber insurance market hardens and it becomes more challenging to secure coverage, almost all organisations (97%) with cyber insurance have made changes to their cyber defences to improve their insurance position: 64% have implemented new technologies/services; 56% have increased staff training/education activities; 52% have changed processes/behaviours.
Major changes to organisations’ experience of getting cyber insurance over the last 12 months:
- 94% of those with cyber insurance said the process for securing coverage had changed over the last year.
- 54% say the level of cyber security they need to qualify is now higher
- 47% say policies are now more complex
- 40% say fewer companies offer cyber insurance
- 37% say the process takes longer
- 34% say it is more expensive
‘As we go into 2024, the cyber insurance market is experiencing ‘selective softening’. Coverage is increasingly available – but only for low-risk organisations that have strong cyber defenses. The better your defenses, the better your insurance position.’
Sally Adam, Director of Global Marketing, Sophos.
Can I, and should I, buy Cyber Insurance?
‘Observers of the cyber insurance market likely will agree that the changes over the past 12 months have been astonishing. While most organizations have some form of cyber insurance, the vast majority of survey respondents have experienced a change in their experience of securing coverage over the last year, including higher premiums and more stringent cyber controls.’
Insurers are becoming more selective about the risks they take on and are demanding higher premiums – and more onerous terms. If you’re thinking of investing in cyber insurance, your security practices need to be up to scratch.
There are several reasons for this; increasing frequency and severity of cyber-attacks, rising cost of ransomware payments, and the growing complexity of the cyber threat landscape. As a result, businesses are now facing higher premiums, lower limits, and stricter policy terms. Some insurers are even withdrawing capacity from the market altogether, making it difficult and expensive for businesses to obtain cyber insurance.
Now, cyber insurance providers require a risk assessment before they offer you a policy. This is because they need to understand your specific risks to price your policy accurately. The stronger your security posture and the more mature your security practice, the more likely you are to secure a cyber insurance policy at a competitive price.
One leading cyber insurance provider in the UK is Hiscox. They offer a free risk assessment tool that can help you to identify and mitigate your cyber risks, before applying for a policy. You can learn more about their risk assessment tool here.
The Role of Artificial Intelligence in Cyber Insurance
A significant, and relevant, challenge facing cyber insurers is the increasing sophistication of cyber-attacks. Criminals are constantly developing new methods of attack, and insurers are struggling to keep up.
Artificial intelligence is playing an increasingly important role in both cyber-attacks and cyber insurance.
On the one hand, AI is being used by cybercriminals to develop more sophisticated and automated attacks. AI-powered tools can be used to identify vulnerabilities, exploit software flaws, and spread malware on a massive scale.
On the other hand, AI is also being used by cyber insurers to improve their risk assessment and underwriting processes. AI algorithms can analyse vast amounts of data to identify patterns and trends that are indicative of cyber risk. This information can then be used to price policies more accurately and to find businesses that are at a higher risk of being attacked.
‘On the one hand, AI is being used by cybercriminals to develop more sophisticated and automated attacks. AI-powered tools can be used to identify vulnerabilities, exploit software flaws, and spread malware on a massive scale.
On the other hand, AI is also being used by cyber insurers to improve their risk assessment and underwriting processes. AI algorithms can analyse vast amounts of data to identify patterns and trends that are indicative of cyber risk. This information can then be used to price policies more accurately and to find businesses that are at a higher risk of being attacked.’
Sally Adam, Director of Global Marketing, Sophos.
AI is already making inroads into the UK cyber insurance landscape, and we can expect to see even more innovative applications in the years to come. AI has the potential to revolutionise the industry, and we hope that this will translate into more affordable premiums.
The Limitations of Cyber Insurance
Cyber insurance, on its own and without regard for cyber security best practices, is not a safe strategy. Businesses that consider cyber insurance as an easy and cheaper alternative to investing in cyber tooling and workforce education will soon understand this is a myth.
Cyber insurance is a complex and evolving market, with insurers adapting their offerings to keep up with the growing threat of cyber-attacks. Currently, there is widespread concern that the industry’s efforts won’t be sufficient, prompting some governments to consider intervening.
One of the biggest challenges facing cyber insurers right now is the increasing cost of successful attacks. The average global cost of a data breach hit a new high of £3.41m last year, according to IBM’s latest Cost of a Data Breach Report.
As a result, the cost of cyber insurance premiums has been rocketing. Insurance broker Marsh has reported that premiums for cybercrime coverage have grown by 28% in Q4 2022 and another 11% in the following quarter. According to Forbes’ Making Cyber Risk Insurable 2023 Report, there have even been suggestions that cyber insurance is becoming unsustainable.
‘For cyber insurance to be viable—and perhaps ubiquitous—some things are going to have to change. It’s also clear, given how various-size organizations pursue their cybersecurity, there is no one size fits all.’
What Are the Insurers Looking For?
Insurers are becoming increasingly selective when it comes to underwriting cyber insurance policies. This is due to the rising frequency and severity of cyber-attacks, which have made cyber insurance a riskier proposition for insurers. As a result, insurers are scrutinising potential customers more closely to assess their cyber risk profile and determine whether they are a good fit for coverage.
It’s worth bearing in mind that there are some key factors insurers consider when evaluating potential cyber insurance customers:
Cyber Security Best Practices: The Basics
If best practices are implemented with the basics, like making sure that all hardware and operating systems are up to date with the latest releases, then businesses will be more likely to meet underwriters’ requirements, as well as recover from an attempted cyber-attack:
- Using strong passwords: Passwords should be at least 12 characters long and include a mix of upper and lowercase letters, numbers, and symbols. It is also important to avoid using common words or phrases in your passwords.
- Keeping software up to date: Software updates often include security patches that can help to protect your systems from known vulnerabilities. It is important to install software updates as soon as they are available.
- Educating employees about cyber security: Employees should be trained on cyber security best practices, such as how to find and avoid phishing emails and how to create strong passwords.
- Developing a cyber security incident response plan: If a cyber-attack happens, it is important to have a plan in place for responding to the incident. This plan should include steps for containing the damage, notifying affected individuals, and restoring systems.
‘Organizations hit by ransomware in the last year are much more likely to have cyber insurance that covers them against ransomware than those that avoided falling victim to an attack. Among those that were hit, 89% have cyber insurance that covers ransomware compared with 70% of those not hit.’
Cyber insurance should never be seen as a standalone solution. It is crucial for businesses, of all sizes, to invest in robust cyber security measures as well. The reality is, cyber insurance and cyber security need to go hand in hand, complementing each other as part of a comprehensive risk management strategy.
Implementing effective cyber security practices, such as multi-factor authentication (MFA), is a critical step in fortifying businesses, particularly SMBs, against cyber-attacks. However, it’s important that all businesses adopt a “buyer beware” approach when considering cyber insurance. Buyers must carefully analyse the details of insurance coverage, ensuring it aligns with their specific cyber security needs.
By combining strong cyber security measures with the right cyber insurance coverage, businesses can significantly reduce their risk profile and ensure they are well-prepared to handle the financial and reputational fallout of an attack.
Taking this proactive stance against cyber threats, means you safeguard your people, your data, and your reputation. If you’re not already insured, now’s the time to start looking!