Blog Post
July 25, 2024
TL;DR
After cyber insurance rates skyrocketed from late 2020 to 2022, when the majority of the market had little choice but to switch to a completely remote way of working, prices have slowly started to drop. This new downward trend is promising, as organizations are increasingly searching for the most cost-effective ways to manage their cyber risks and offset potential losses.
Indeed, leading insurance broker and risk advisor Marsh recently reported that more cyber insurance claims had been filed in 2023 than ever before, highlighting this growing market demand. Unfortunately, another survey from IT security company Sophos found that 99% of those companies that made a claim to their respective cyber insurance carrier did not receive a full reimbursement due to the total bill exceeding policy limits.
At the same time, another market analysis released only this month discovered that although nearly half of respondents intend to adopt cyber insurance in the next year, 52% still noted that it was challenging to do so “because of the insurer’s requirements.” In other words, despite their intent to purchase, organizations are still struggling to find policies that adequately cover their exposure and offer a cost-effective cyber risk transfer option.
While there is evidently significant room for improvement, the noticeable downturn in insurance prices nevertheless offers a glimpse of optimism. With the ever-expanding set of historical cyber risk data both insurers and organizations have access to, along with highly reliable quantification models available, the current circumstances present an incredible opportunity to maximize this market's potential.
One of the three primary risk management strategies, risk transfer or insurance policy adoption, is to offset the cost of anomalous risk scenarios. Ideally, the policy ensures that if such risks materialize, the company can quickly recover. Cyber insurance, specifically, serves as a financial safety net for the overhead arising from cyber incidents, such as business interruptions, data breaches, or ransomware events.
Cyber insurance policies typically cover a range of potential loss types, including ransomware and extortion, business interruption, third-party service provider failure, third-party liability, data theft and privacy, and regulation and compliance expenses. For any organization, transferring all or a portion of this cyber risk is a crucial component of a comprehensive risk management strategy, providing a more cost-effective option when the price of internal mitigation is too high.
Despite its potential, cyber insurance's ultimate effectiveness hinges on policies being meticulously tailored to an organization's unique cyber risk profile. Every company faces specific cyber threats and vulnerabilities based on its technology stack and firmographics, rendering any one-size-fits-all policy insufficient. Even two businesses operating in the same industry in the same region are likely to face two different digital risk landscapes.
To ensure that cyber insurance policies are optimally customized, it's fitting to run a cyber risk quantification (CRQ) assessment on the company. On-demand quantification models take into account all of the necessary internal risk factors and combine this data with past events and industry trend information to produce an evaluation that breaks down the likelihood of the business experiencing various loss scenarios and the relative severity of those losses.
In the quantification pictured above, the assessment shows that the evaluated organization is, on average, likely to experience a loss of $5.7 million due to a business interruption. In this scenario, the business may face expenses relating to lost income, business impact forensics, public relations repair, recovery measures, and even client loss. Leveraging the insights generated for each of these scenarios, insurers and insureds alike can begin to develop the most suitable policy.
Understanding how likely these particular scenarios are to occur is critical for determining the most appropriate policy conditions. For instance, for GRC Logistics, Kovrr’s CRQ assessment, illustrated below, calculated that there is a 3% probability that, in the upcoming year, ransomware and extortion costs will exceed a proposed deductible of $5 million, indicating that such coverage would only financially protect the company in the case of tail events.
Given this data-driven forecast, organizational leaders may opt to completely lose this specific coverage area altogether and save on the premium. They may also decide to push for a higher sub-limit for a different loss scenario coverage area, such as business interruption, for which there is a 28% likelihood of exceeding the $5 million threshold.
Employing such an approach to crafting and evaluating insurance terms results in more bespoke, cost-effective policies. While the example above is merely one situation for which CRQ can lead to enhanced terms and conditions, there is a wealth of other applicable data regarding these standard cyber insurance loss scenarios. By leveraging these insights, businesses can better navigate the complexities of developing a robust cyber risk management program.
To learn more about the data-driven decisions that can be made when utilizing quantification to optimize insurance policies, schedule a free CRQ platform demo today.
While using CRQ to explore the various deductibles and limits that are best suited to the organization’s specific risk landscape, the final proposals should not be made without first factoring in the organization's overarching risk appetite. Companies with higher risk appetite levels, for example, are more likely to accept higher deductibles and limits to reduce premium costs. Risk-averse organizations, in contrast, may prefer the inverse to ensure maximum protection.
When considering this context, cybersecurity managers may also find that the more strategic option is to absorb the costs and reprioritize the insurance budget accordingly. Cyber insurance choices, although significantly bolstered by quantified insights, should not be made within a vacuum. Instead, the relevant data needs to be harnessed to better align these decisions with the company’s overall risk management strategy.
In addition to uncovering the insurance claim coverage trends, the Sophos survey likewise found "widespread uncertainty among cybersecurity leaders about what their policies actually cover...stemming from a disconnect” between those who purchase them and those directly dealing with the fallout of a cyber event. To avoid this situation and maximize the potential financial benefits of cyber insurance, CISOs must proactively engage with key stakeholders.
Cyber risk quantification is an extremely valuable facilitator in this regard. It offers tangible information to those responsible for cyber insurance negotiations, such as the CFO, and can, therefore, be directly leveraged in ensuing discussions with insurance providers. Translating cyber risk into loss scenario likelihoods and respective financial damages helps to bridge the gap highlighted in the Sophos survey, ensuring that everyone with relevant insights is involved in the insurance decision-making process.
Unfortunately, even as rates decline, organizations are still confronted by the lack of economically viable cyber insurance options. Granted, the industry's relative newness makes it difficult for many insurers to offer fit-for-purpose policies, as they would for other areas of business risk. Nevertheless, this situation compels stakeholders to either self-insure or adopt inadequate coverage that leaves room for unaccounted-for costs, potentially affecting resiliency.
On-demand cyber risk quantification creates an opportunity that overcomes this dichotic dilemma, offering organizations objective, accurate risk forecasts of the cyber loss scenarios they're most likely to experience.
With this data, CISOs, high-level executives, and insurance providers alike can more easily collaborate, thereby discovering the insurance deductibles and limits most likely to provide financial protection and, ultimately, support the organization in constructing a robust, cost-effective cyber risk management program.
Contact one of Kovrr’s cyber risk management experts today and discover how CRQ can minimize your insurance costs and bolster your cybersecurity strategy.
Kovrr financially quantifies cyber risk on demand. Our technology enables decision makers to seamlessly drive actionable cyber risk management decisions.
