Last Updated on July 8, 2022
As cybercrime escalates, so do cyber liability insurance premiums. But the jump in premium costs—doubling or tripling (or worse) in many cases—along with higher deductibles and other restrictive policy terms, are leaving many businesses with coverage gaps and increased cyber risk.
Why the quantum leap in cyber liability insurance costs? Have the insurers just mismanaged their end of the business? Or is there more to the story?
To provide expert insights on today’s cyber liability insurance issues and challenges, a recent episode of The Virtual CISO Podcast features Eric Jesse, Partner at Lowenstein Sandler LLP. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
Too good to be true
John offers a cynical view of the current situation with cyber insurance policies: “You talked about the fact that their underwriting processes early on were pretty immature. And I think from the folks I know in the industry, a lot of that was, ‘There is a giant pot of gold at the end of the rainbow.’ They did not have the actuarial data. They didn’t have the experience necessary to do that underwriting. And they said, ‘Yeah, we’ll write as many policies as we can, and we’ll catch it up on the backside.’ Is that a fair assessment?”
“I think that’s right,” Eric replies. “Certainly, the insurers were not underwriting as intensely as they wish they should have. I think that’s a contributor here. But beyond that, I can’t really say that the insurers are to blame. Because the reality here is that cybersecurity is an area that’s filled with major risks, changing risks, increasing risks. And the threat actors are persistent in trying to find new ways to penetrate company systems.”
Adapting to a new reality
Another reason cyber liability insurance rates are rising is that carriers are adjusting their policies to match the growing magnitude of the risks they’re underwriting.
“I’ll give you the example of ransomware where, several years ago, we would see ransom demands in the thousands or tens of thousands of dollars, and so insurance companies had sub limits of $50,000 or $100,000 in their policies,” observes Eric. “But as those demands went up, the sub limits went up. So now we often see $1 million sub limits for ransom or cyber extortion demands. And that’s good for policyholders. But now with the onslaught of ransomware demands, the carriers are going to have to pay at those higher sub limits.”
Any help for SMBs?
Many SMBs are now waving goodbye to more affordable cyber insurance policies in the $2,000-$4,000 per year range. These premiums, as John notes, wouldn’t even cover the process of carriers doing proper due diligence on a company.
“What they ended up with is a situation where you couldn’t afford to do due diligence and sell the policy at that price point,” states John. “Now as these policies triple in price, can we find ways to rely on third-party attestations and things of that nature? Or maybe, ‘Hey, we’re willing to write a policy, but you have to be ISO 27001 certified.’ Or ‘If you’re ISO 27001 certified, we’ll give you a discount.’ Is that the direction this is going to end up heading?”
“Yes, I agree with that,” responds Eric. “I think the carriers will look, for lack of a better term, for shortcuts through those certifications. Or, you’re going to have just much more extensive insurance applications. Applications I saw a few years ago were often just a few pages. Now they could be much more intensive as the cybersecurity systems and protocols have to be detailed in that application.”
To listen to this conversation with Eric Jesse from the beginning, click here.
Can certification against robust cyber frameworks like ISO 27001 or NIST 800-171 help reduce cyber liability insurance costs? This blog post offers some ideas: Reducing Cyber Liability Insurance Costs with ISO 27001 and HITRUST?