The changing face of cyber insurance as cyber security attacks surge
As cyber insurance premiums and policy conditions spiral in response to the rise in cyber security incidents, Phoenix’s Lead Governance, Risk, and Compliance Consultant, Tracey Hannan-Jones explores the new terms you should be aware of and how your public sector organisation can protect itself against increasing insurance costs.
With cyber-attacks surging in frequency in the last 18-months and large-scale ransomware attacks inundating brokers with claims, it’s no surprise that the rates for buying cyber insurance are soaring, leaving organisations considering other options, such as setting up their own captive insurance companies.
According to a report from cyber insurance broker, Howden, cyber insurance premiums have increased by almost a third in the last 12-months due to the sharp rise in ransomware strikes. But insurers aren’t just raising prices, many are also being more cautious about security controls at the organisations that buy cover from them, resulting in a heightened focus on cyber security across the public sector.
How are cyber insurance companies responding to the increase in cyber security attacks?
Typically, ransomware insurance is covered under the general policy of an agreement, offering a combination of financial compensation for losses – such as business interruption and ransom repayments – and operations including data recovery. However, as cyber security attacks rise and increase in severity, some insurers are changing their policies to reduce the cover that they offer or – in the case of an organisation having exceptionally low controls – not approving the policy at all.
Cyber insurance is traditionally formed in a tower structure, with each area of risk underwritten by a different group. The primary layer usually takes the first hit above the customer’s excess, but as ransoms grow and other costs make it more likely that those first policies will pay out in full, protecting your organisation in the digital world is becoming even harder.
Global insurance company, AIG recently announced it would be tightening its cyber insurance terms, including a tougher underwriting process with an additional 25 detailed questions on the security measures its customers have in place. By limiting the cover that it offers, if clients don’t meet the required control level, then their ransomware limit will be reduced by half and customers will be expected to share the losses under a co-insurance policy.
As a preventative measure, more insurance companies are also now providing emergency support services, as well as financial compensation. By offering emergency support to organisations that have identified a cyber security risk, insurance brokers are able to limit the damage and avoid the cost of paying out should an attack happen.
We’ve also seen a reduction in coverage for specific ‘high value’ sectors, such as education and healthcare as insurers try to mitigate the financial fall-out of backing high-profile and heavily targeted organisations. Lloyd’s of London insurer Beazley – a prominent cyber insurance underwriter – has turned its attentions to its customer’s defence strategies by asking key questions around company culture and internal cyber security training to attain whether organisations are approaching cyber security with their first line of defence in mind – their workforce.
Organisation’s recovery strategies and response testing are also being explored in more detail as paying a ransom becomes unnecessary if you can restore your systems and recover data efficiently following a ransomware attack, and therefore insurance companies avoid paying out.
What can public sector organisations do to improve cyber security and reduce their cyber insurance premiums?
Ransomware-as-a-service has grown in popularity and as the complexity, frequency, and severity of ransomware attacks skyrockets, third-party services that offer support hotlines and websites for publicising attacks have appeared to support organisations to identify and prevent attacks.
However, as many ransomware attacks are not planned or targeted and instead identify opportunities to leverage weakness in an organisation’s cyber security strategy, you shouldn’t rely on basic security controls and recovery plans. Instead, you must take a more measured approach to avoiding a cyber security breach and mitigating one, should it happen.
Take our short cyber security assessment to discover how strong your cyber security strategy is and help you to identify any weak spots.