Blog Post
Obtaining Fit-For-Purpose Cyber Insurance Amid a Volatile Market
July 25, 2024
TL;DR
- Despite their surge from 2020 to 2022, cyber insurance rates are now gradually decreasing. Unfortunately, most companies still struggle to find cost-effective policies.
- In 2023, a significant number of cyber insurance claims were filed, but 99% of companies that did not receive a full reimbursement said they lost out due to exceeding policy limits.
- Ideally, cyber insurance provides protection against various cyber events, and most importantly extreme loss events. It also is a crucial component of any comprehensive risk management strategy.
- To obtain tailored policies that accurately reflect an organization's unique risk profile, stakeholders should utilize on-demand CRQ models. Insurers, too, can harness these models to offer more, fit-for-purpose policies.
- Cyber risk quantification (CRQ) assessments help organizations understand the likelihood of experiencing different loss scenarios. With this data, parties can determine the optimal terms and conditions, including the deductibles, limits and sub-limits, ensuring comprehensive insurance coverage.
- Insurance decisions should also account for an organization's risk appetite. Including all relevant stakeholders in this decision-making process is essential for this alignment.
- Although rates are falling, it's still difficult in many cases to find the right cyber insurance limits. CRQ, however, offers accurate risk forecasts, enabling the creation of bespoke, cost-effective policies.
Cyber Insurance Prices Start to Fall, But Not Enough
After cyber insurance rates skyrocketed from late 2020 to 2022, when the majority of the market had little choice but to switch to a completely remote way of working, prices have slowly started to drop. This new downward trend is promising, as organizations are increasingly searching for the most cost-effective ways to manage their cyber risks and offset potential losses.
Indeed, leading insurance broker and risk advisor Marsh recently reported that more cyber insurance claims had been filed in 2023 than ever before, highlighting this growing market demand. Unfortunately, another survey from IT security company Sophos found that 99% of those companies that made a claim to their respective cyber insurance carrier did not receive a full reimbursement due to the total bill exceeding policy limits.
At the same time, another market analysis released only this month discovered that although nearly half of respondents intend to adopt cyber insurance in the next year, 52% still noted that it was challenging to do so “because of the insurer’s requirements.” In other words, despite their intent to purchase, organizations are still struggling to find policies that adequately cover their exposure and offer a cost-effective cyber risk transfer option.
While there is evidently significant room for improvement, the noticeable downturn in insurance prices nevertheless offers a glimpse of optimism. With the ever-expanding set of historical cyber risk data both insurers and organizations have access to, along with highly reliable quantification models available, the current circumstances present an incredible opportunity to maximize this market's potential.
The Purpose of Cyber Insurance
One of the three primary risk management strategies, risk transfer or insurance policy adoption, is to offset the cost of anomalous risk scenarios. Ideally, the policy ensures that if such risks materialize, the company can quickly recover. Cyber insurance, specifically, serves as a financial safety net for the overhead arising from cyber incidents, such as business interruptions, data breaches, or ransomware events.
Cyber insurance policies typically cover a range of potential loss types, including ransomware and extortion, business interruption, third-party service provider failure, third-party liability, data theft and privacy, and regulation and compliance expenses. For any organization, transferring all or a portion of this cyber risk is a crucial component of a comprehensive risk management strategy, providing a more cost-effective option when the price of internal mitigation is too high.
The Crucial Need for Fit-For-Purpose Policies
Despite its potential, cyber insurance's ultimate effectiveness hinges on policies being meticulously tailored to an organization's unique cyber risk profile. Every company faces specific cyber threats and vulnerabilities based on its technology stack and firmographics, rendering any one-size-fits-all policy insufficient. Even two businesses operating in the same industry in the same region are likely to face two different digital risk landscapes.
To ensure that cyber insurance policies are optimally customized, it's fitting to run a cyber risk quantification (CRQ) assessment on the company. On-demand quantification models take into account all of the necessary internal risk factors and combine this data with past events and industry trend information to produce an evaluation that breaks down the likelihood of the business experiencing various loss scenarios and the relative severity of those losses.
In the quantification pictured above, the assessment shows that the evaluated organization is, on average, likely to experience a loss of $5.7 million due to a business interruption. In this scenario, the business may face expenses relating to lost income, business impact forensics, public relations repair, recovery measures, and even client loss. Leveraging the insights generated for each of these scenarios, insurers and insureds alike can begin to develop the most suitable policy.
Discovering the Optimized Set of Deductibles and Limits
Understanding how likely these particular scenarios are to occur is critical for determining the most appropriate policy conditions. For instance, for GRC Logistics, Kovrr’s CRQ assessment, illustrated below, calculated that there is a 3% probability that, in the upcoming year, ransomware and extortion costs will exceed a proposed deductible of $5 million, indicating that such coverage would only financially protect the company in the case of tail events.
Given this data-driven forecast, organizational leaders may opt to completely lose this specific coverage area altogether and save on the premium. They may also decide to push for a higher sub-limit for a different loss scenario coverage area, such as business interruption, for which there is a 28% likelihood of exceeding the $5 million threshold.
Employing such an approach to crafting and evaluating insurance terms results in more bespoke, cost-effective policies. While the example above is merely one situation for which CRQ can lead to enhanced terms and conditions, there is a wealth of other applicable data regarding these standard cyber insurance loss scenarios. By leveraging these insights, businesses can better navigate the complexities of developing a robust cyber risk management program.
To learn more about the data-driven decisions that can be made when utilizing quantification to optimize insurance policies, schedule a free CRQ platform demo today.
Factoring in Risk Appetite Levels
While using CRQ to explore the various deductibles and limits that are best suited to the organization’s specific risk landscape, the final proposals should not be made without first factoring in the organization's overarching risk appetite. Companies with higher risk appetite levels, for example, are more likely to accept higher deductibles and limits to reduce premium costs. Risk-averse organizations, in contrast, may prefer the inverse to ensure maximum protection.
When considering this context, cybersecurity managers may also find that the more strategic option is to absorb the costs and reprioritize the insurance budget accordingly. Cyber insurance choices, although significantly bolstered by quantified insights, should not be made within a vacuum. Instead, the relevant data needs to be harnessed to better align these decisions with the company’s overall risk management strategy.
Convening Organizational Stakeholders at the Negotiating Table
In addition to uncovering the insurance claim coverage trends, the Sophos survey likewise found "widespread uncertainty among cybersecurity leaders about what their policies actually cover...stemming from a disconnect” between those who purchase them and those directly dealing with the fallout of a cyber event. To avoid this situation and maximize the potential financial benefits of cyber insurance, CISOs must proactively engage with key stakeholders.
Cyber risk quantification is an extremely valuable facilitator in this regard. It offers tangible information to those responsible for cyber insurance negotiations, such as the CFO, and can, therefore, be directly leveraged in ensuing discussions with insurance providers. Translating cyber risk into loss scenario likelihoods and respective financial damages helps to bridge the gap highlighted in the Sophos survey, ensuring that everyone with relevant insights is involved in the insurance decision-making process.
Achieving Resilience With Tailored Cyber Insurance
Unfortunately, even as rates decline, organizations are still confronted by the lack of economically viable cyber insurance options. Granted, the industry's relative newness makes it difficult for many insurers to offer fit-for-purpose policies, as they would for other areas of business risk. Nevertheless, this situation compels stakeholders to either self-insure or adopt inadequate coverage that leaves room for unaccounted-for costs, potentially affecting resiliency.
On-demand cyber risk quantification creates an opportunity that overcomes this dichotic dilemma, offering organizations objective, accurate risk forecasts of the cyber loss scenarios they're most likely to experience.
With this data, CISOs, high-level executives, and insurance providers alike can more easily collaborate, thereby discovering the insurance deductibles and limits most likely to provide financial protection and, ultimately, support the organization in constructing a robust, cost-effective cyber risk management program.
Contact one of Kovrr’s cyber risk management experts today and discover how CRQ can minimize your insurance costs and bolster your cybersecurity strategy.