There has certainly been an increase in Cyber insurance as a result of cyber attacks becoming more frequent and sophisticated. Enterprises are increasingly turning to cyber insurance to protect themselves against financial losses resulting from cyber incidents.
The Insurance Information Institute recently reported that the global cyber insurance market grew from $3.4 billion in 2016 to $7.8 billion in 2020, representing a compound annual growth rate of 23.5%. The report also projects that the cyber insurance market will continue to grow at a similar rate over the next few years.
The COVID-19 pandemic has also played a role in the increased demand for cyber insurance. With more companies shifting to remote work arrangements and now as there are far more flexible and hybrid environments professionally, there has been a significant increase in cyber attacks targeting workers and their devices. Business Wire reported in fact that such cyber attacks increased by 81%. So, as a result, many businesses are seeing the value in having cyber insurance as part of their risk management strategy.
However, whilst the Cyber Insurance Market is predicted to grow by $21bn by 2026 (review our White paper) and it will serve as important protection for enterprises, many are being rejected for insurance because they simply are not in a state of cyber security readiness for insurers to feel confident.
What are the core reasons Enterprises get rejected for cyber insurance?
Cyber security measures are just not up to scratch: If an insurer feels an enterprise has poor cyber security measures in place; if there are not proper protocols such as firewalls, antivirus software, data encryption for example, it significantly increases the risk of a cyber attack. So, in order to qualify for cyber insurance, businesses will need to demonstrate they have these measures in place.
If there a track record of cyber incidents: If a business has experienced ransomware attacks or data breaches, they will be considered by insurers as high risk and thus can refuse coverage because they will consider that there is a high chance of a repeat attack.
If they are a high-risk business: Enterprises managing large volumes of personal data, such as financial institutions or healthcare providers; Cyber Insurers may not consider these businesses wise to insure.
Insufficient Coverage: When only certain aspects of coverage are requested, Insurers may feel that this creates considerable doubt and may just completely refuse to cover the business at all.
Their financial health is in poor condition: A financially unstable business may be viewed by an insurer that they will potentially be likely to cut corners on cyber security measures and thus be unable to adequately recover from a cyber security attack.
So if businesses want to be cyber secure and have a layer of insurance protection, what can they do to get prepared?
Conduct a cyber security risk assessment: Before purchasing cyber insurance, it is essential to assess your business’s cybersecurity risks. This involves identifying potential vulnerabilities, evaluating the impact of a data breach, and reviewing the current security controls in place.
Discover all your assets: Many businesses we speak with are concerned with the fact that they simply are not mature enough because they cannot get to grips with where all their assets are, so obtaining that complete asset visibility will be essential in providing insurers the confidence they need to know that enterprises have all bases covered.
Implement cyber security best practices: Once you’ve identified your risks, you’ll want to implement cybersecurity best practices to reduce your exposure. This can include employee training, implementing multi-factor authentication, regularly updating software, and maintaining secure backups.
Develop an incident response plan: Your business should also have a well-defined incident response plan in place in case of a cyber security incident. This plan should outline the steps your business will take in the event of a data breach, including who will be responsible for handling the incident and communicating with customers and stakeholders.
Choose the right insurance coverage: Cyber insurance policies can vary significantly in terms of coverage and cost. Before purchasing a policy, you should work with an experienced insurance broker to identify the coverage that best fits your business’s needs.
Regularly review and update your coverage: As your business evolves, your cyber insurance needs may change. It is important to regularly review your policy to ensure that it continues to provide adequate cover and adjust your coverage as necessary.
Is this enough?
Not quite, there is more that enterprises can do.
As our research in collaboration with Liberty Specialty Markets explored, this still is not enough and Continuous Controls Monitoring can provide the assurance that Insurers need to provide the required levels of insurance.
Ensuring that all steps are covered will not only provide enterprises greater protection against cyber attacks but will also enable insurers the assurance and confidence that the businesses they are insuring are in the best shape they can be to be insured.
It’s important for businesses to work with their insurance provider to understand the reasons for any refusal and take steps to address highlighted issues. This may include improving cyber security measures, reducing risk factors, or improving the business’s financial health.