Cyber insurance is becoming more popular as cyber attacks continue to increase in frequency and sophistication, and new research shows improved security capabilities are helping companies save on their coverage.
Two new studies indicate insurance premiums are falling as enterprises around the world are getting serious about bolstering resilience.
Global Insurance broker Howden released a report on 1 July stating cyber insurance is entering a new phase of development, after claiming the market was on “the cusp of transformational growth” last year.
“Following a major market correction off the back of surging ransomware claims in 2020 and 2021, conditions started to stabilize last year as improved cyber hygiene amongst insureds helped to prevent or mitigate the impact of attacks,” the report stated.
Sarah Neild, head of cyber retail UK at Howden, said “favorable dynamics” have continued into 2024, noting that despite ongoing attacks, Howden’s global pricing index shows the cost of cyber insurance is falling.
Meanwhile, an independent survey commissioned by Sophos, which spoke to 5,000 IT and cybersecurity leaders across 14 countries in the Americas, EMEA, and Asia Pacific, revealed insurance adoption is becoming more widespread.
It found 90% of organizations with between 100 and 5,000 employees had some form of cyber coverage, with 50% taking out a standalone policy and 40% being covered as part of a wider business insurance policy, such as general liability coverage.
The results indicate that organizational revenue has a minimal impact on whether or not a business takes out cyber insurance, with 92% of respondents from companies with less than $50 million annual revenue claiming to have some form of coverage, compared to 93% of enterprises with over $1 billion in annual revenue.
When asked what was driving this wave of adoption, almost half of respondents identified a growing general awareness of the business impacts of cyber attacks as the primary motivation factor that pushed them to take out cyber policies.
Firms are investing with cheaper cyber insurance rates in mind
Like Howden, Sophos also noted improved security capabilities were pushing down rates on cyber coverage.
Moreover, Sophos found virtually every respondent (97%) whose organization had purchased an insurance policy stated it had invested in its security capabilities with the explicit goal of optimizing their insurance position.
Of these, 63% said their organization had made major investments to this end, with 34% stating they had only made minor investments.
This approach appears to have worked, with 4,351 of the 5,000 organizations represented stating their investments in improving their cyber defenses had a positive impact on their insurance position.
Three-quarters (76%) of respondents said it enabled their organization to qualify for coverage, 67% said it enabled their organization to get better priced coverage, and 30% stated the investments helped their firm to get better priced policy terms.
Commenting on this trend, Ilia Kolochenko, CEO at ImmuniWeb and adjunct professor of cybersecurity at Capital Technology University, said Howden’s report sheds light on subtle trends on the global cyber insurance market.
“First, less companies are willing to invest a considerable amount of money in cyber insurance after having a pretty bad experience in the past, when insurance coverage was denied under a plethora of reasons and contractual clauses inconspicuously incorporated into the insurance agreement,” he explained.
“After burning their fingers with an insurance policy, some companies either entirely re-allocated insurance budget to improve their cybersecurity controls and hire more people, or procured the bare minimum of cyber insurance as it may be required by law or be a prerequisite of their external stakeholders, such as auditors, investors, clients or partners,” Kolochenko added.
“Thus, cyber insurance businesses are trying to retain and attract new clients with more attractive premiums and other conditions.”
The second trend Kolochenko identified was that cyberspace is becoming less of an unknown quantity for insurance firms, with better access to the historical data needed to quantify the cyber risk posed to businesses.
“The cyber insurance industry is becoming mature: insurance firms now have enough historical data about incidents of all kinds to offer data-driven and meticulously calculated premiums and other terms to insurees of all sizes. Hence, when you know exactly how to quantify the impact and probability of all insured risks, you hedge your own risks and thus can offer more competitive conditions while staying profitable,” he said.
“Of note, many insurances flatly excluded some types of unpredictable or high costs from being covered (e.g. legal defense of employees of a breached company when sued in their personal capacity, crisis communications teams and media relations, payment of ransom). Eventually, insurance firms now have a broad leeway to optimize their prices.”
The final factor shaping this shift in the market was the fact that improved levels of cyber readiness have made the business of insuring against cyber attacks mch less risky, helping insurers offer more competitive rates.
“Most large companies that can afford to invest in cyber insurance, have significantly increased their cybersecurity and cyber resilience, including rapid disaster recovery, thereby making cyber insurance a less risky business.”