Cyberinsurance: Costs and Requirements Are Rising

Cyberinsurance: Costs and Requirements Are Rising

This IDC Perspective outlines IDC's research regarding the rising costs, growing limitations, and latest developments in the cyberinsurance industry. Since the inception of cyberinsurance in the early 2000s, organization saw this as a way to deal with the various annoying issues of unauthorized access, malware attacks, and data loss. In the early stages, cyberinsurers relied upon basic security checklists for policyholders to demonstrate their compliance to security controls. For the most part, that was the only time cyberinsurers would check-in with their customers.Fast forward to the past two to three years where industry has seen a dramatic rise in ransomware attacks that force organizations to pay large sums of money, typically in bitcoin form, to recover their data. This has proven to be an extremely lucrative business for attackers. The flip side is that ransomware has proven to be not so lucrative for cyberinsurers having to payout against claims from organizations attacked with ransomware. In addition to ransomware, other areas of coverage such as business interruption, incident response, and regulatory fines are typical coverage areas in cyberinsurance policies.Cyberinsurers are now reevaluating their cyberinsurance policies in the advent of the rise in ransomware attacks and looking for creative ways to mitigate their own liability with underwriting cyberinsurance policies such as offering coinsurance where both the organization and insurers will split the cost of a ransomware claim. Cyberinsurers are dramatically increasing the policy rates as costs have risen an astronomical 130% in the United States and 92% in the United Kingdom according to the Marsh Global Insurance Market Index 4Q21. While commercial insurance prices have seen a decline from 15% to 13%, cyberinsurance is the exception.What does this mean for organizations seeking to continue or acquire new cyberinsurance? For starters, cyberinsurers will be redesigning how their policies are offered with different payout options depending on the type of claim. Cyberinsurers have recognized they are not cybersecurity experts and will be looking for ways to bring rigor to the process of having policyholders demonstrate their compliance with security standards. These are some of the changes that are coming."The time has come where we will start to see a big shift in how policies are underwritten by cyberinsurers. If organizations have not established a security framework based upon an appropriate security standard with ongoing compliance monitoring, now is the time to start," said Phil Harris, research director for IDC's Worldwide Cybersecurity Risk Management Services practice.

Please Note: Extended description available upon request.