Feature: The cost of cyber insurance has risen – is being insured worth it?

By John Wareing, insurance sector specialist at Red Helix.

Cyber security attacks are increasing at an alarming rate and continue to rise in scale and complexity, affecting essential services, businesses and individuals alike. Due to the accelerating pace of digitalisation and major advances in network technology, we have become more reliant on our devices. As a result, this has created an array of new endpoints for criminals to target which has subsequently led to hacking offences more than doubling in the year ending March 2022, compared with the year ending March 2020.

Not only has the number of crimes increased, but the impact and aftermath of a cyber-attack can cause a ripple effect for years. Criminals are gaining access to huge amounts of personal data from enterprises, including bank details and ID documents, as seen in the recent attack on Arnold Clark.

Owing to the higher severity of breaches, the frequency and value of pay outs has gone up, and so has the price of cyber insurance which has risen by 66% in the third quarter of 2022 – following a peak increase of 102% in the first quarter. In fact, the average cost of a single attack in the UK has reached a seven-year high at £4.56 million which has, in turn, had a major impact on both the rates and the requirements for cyber insurance.

While policies will always differ between insurers, there is an ever-growing checklist of requirements that organisations need to adhere to in order to be accepted. It is no longer an expectation that companies show they’ve taken appropriate action to protect themselves against cyber-crime, it is a requirement. And those that can’t prove they have provided sufficient technical solutions and training to secure their network will be denied insurance or refused payment when making a claim.

This comes alongside an increased number of exemptions from insurers as to what they will, and will not, cover. One of those most notable of these recently was Lloyd’s of London’s decision to no longer protect against ‘state-sponsored attacks’, which means that any attacks that an insurance company could claim were linked to a nation-state would no longer be covered.

For businesses this has led to a few questions. Firstly, what are the requirements to qualify for cyber insurance and what will be covered? And secondly, given the robust level of security your organisation will achieve through ticking off the checklist of requirements – is the cost of insurance actually worth it?

What are the requirements for cyber insurance? Across the board, insurance is becoming increasingly challenging to get hold of. Not only are costs soaring, but underwriting requirements are higher and greater scrutiny is being placed on risk mitigation and security program maturity.

Therefore, for businesses to be eligible for cyber insurance they need to show that they already have robust security in place. While the specific requirements for cyber insurance will vary – based on the industry, insurer, the size of the business and the type of coverage required – there are some universal security measures that every business looking for insurance needs to have in place:

• Endpoint detection and response (EDR) – as the number of endpoints (including laptops, mobile phones, tablets etc) continues to rise, so does the number of entry points for criminals. EDR is designed to monitor, discover, investigate and respond to threats across a network of endpoint devices and is becoming a must-have for those seeking insurance.
• Multi-factor authentication (MFA) – this one almost goes without saying, as it has become a common part of day-to-day business operations, but having MFA in place for business networks, emails and applications is another requirement insurers are looking out for.
• Separate backups – as attacks become more advanced, having a single data backup is no longer enough, as this can potentially be compromised. Having multiple backups, in different locations, is another requirement for cyber insurance.
• Cyber awareness training – even the strongest cyber security measures can be brought down by a hole in the human firewall. Therefore, insurers will need businesses to provide regular training, and assessment, to their employees to mitigate the risk of breaches through social engineering attacks.
• Penetration and stress testing – as with assessments to show staff are trained against cyber threats, insurers also need to see that cyber security tools can withstand the threats in the environment. Showing the results of penetration and stress tests can help alleviate concerns around a business’ level of protection.
• Zero trust network access (ZTNA) – whilst ZTNA may not yet be a universal security measure, it is growing in popularity and has become a widely accepted choice for providing secure network access – replacing outdated VPNs. It may not be something all insurers are looking for now, but will likely become so down the line due to the increased security it provides.

Having these measures in place can help towards eligibility for cyber insurance, however actual requirements will vary on a case-by-case basis. Additionally, while implementing the above can help organisations to secure insurance and start better protecting themselves, certain industries will have their own regulations that need to be met – such as the Telecommunications (Security) Act (TSA)  for Network Operators – and it is unlikely that Insurance companies will accept those that don’t comply with Government legislations.

Is cyber insurance worth the rising cost?

One of the many elements that should be considered is that in the event of a breach, some insurers will insist on choosing the company that investigates the attack themselves. And while that may not seem like a big deal initially, it becomes more of an issue when combined with the recent exemptions around state-sponsored attacks, giving the insurance company the power to determine if there is a link to a nation-state or not – and ultimately if that affects the eligibility of the claim.

Organisations, therefore, need to ask themselves whether they are comfortable with this and whether they are happy to trust the results of the insurer’s investigation, particularly if they have their own means to investigate a breach – be it their own technology, or an existing relationship with an attack remediation company – as an insurance company may reject findings that differ from its own.

This may draw the level of worth provided by cyber insurance further into question. What is, however, without a doubt ‘worth it’ is ensuring your cyber security continues to be at a level where its eligibility for insurance couldn’t be brought into question.

As the threat landscape continues to grow, businesses need to remain aware of the evolving threats, and increase their security measures alongside them, so they can continue to protect themselves, their business partners and their customers from attack. And while cyber insurance requirements themselves shouldn’t be used as a base level for an organisation’s security, the higher bar being set does indicate the need to reassess levels of protection.

Furthermore, as additional security compliances are imposed on some sectors, such as the aforementioned TSA and the EU’s DORA (as well as a likely UK equivalent) for financial services, reviewing and upgrading security measures isn’t just important for protecting your business – it is becoming a more important part of the criteria for companies assessing their 3^rd party suppliers.

Ultimately, it comes down to the details of the individual policy as to whether cyber insurance is worth the cost – there is no ‘yes or no’ answer.  The choice to take out cyber insurance will come down to the cost of the policy, the level of cover you’re able to receive and any stipulations or exemptions. Nevertheless, whether you are insured or not, paying attention to the requirements for cyber security – both from insurance companies and Government regulations – is of the utmost importance.

Insurance or no insurance, the threat landscape is evolving, and your security measures need to evolve with it.

Therefore, adhering to security guidelines can help to strengthen your security environment, while regular testing of cyber defences can determine any areas of your security that need to be upgraded. This will not only help your organisation qualify for cyber insurance should you want it, as well as likely reducing your premium, but it will also majorly reduce the chance of a successful breach.