MARTIN POTGIETER | The escalating cost and complexity of cyber insurance

They say death and taxes are unavoidable. Add to that list the growing number of cyber incidents that can have a significant impact on businesses’ financial wellbeing. It's not only the rise in attacks that poses challenges, but also the increased premiums charged by cyber insurance companies. It’s like a one-two punch for organisations, with the threat of cyber intrusions growing stronger and the price tag for protection climbing higher and higher.

According to recent statistics released by the Council of Insurance Agents and Brokers, cyber insurance premiums increased by about 28% in the first half of 2022 compared with the same period in 2021. By the end of 2022, premiums increased by a further 20.3% compared with the previous year. These numbers correlate with those released by Statista, which found 89% of insurance brokers had seen an increase in demand for cyber insurance policies over the same period and 72% had seen an increase in claims.

As cyber insurance claims went up, insurance companies began putting stricter limitations on what they cover and what businesses must do to keep their coverage intact. It’s because of the ever-growing complexity of the cybersecurity landscape. These insurance providers prioritise their own protection by demanding their customers put certain levels of security in place. As a result, there has been a major clampdown on what type of coverage these companies provide and what they expect their customers to do to ensure the insurance remains valid.

The consequences of paying

An important question to consider is: how much does cyber insurance influence attacker behaviour? Payouts made to these criminals have not only changed the way they target and demand ransoms, but has also become a tempting reward for them.

However, it’s worth noting that some cyber insurance policies have started excluding ransom payments from their coverage. This means organisations relying solely on insurance may no longer have the guarantee of ransom payment if they fall victim to a cyberattack. This shift in policy coverage aims to discourage attackers from targeting organisations with the expectation of a payout.

Cyber insurance is no longer something that offers peace of mind and allows the organisation to relax. Instead, it has become a last resort protection that comes into play when other measures have failed — but only if the policy explicitly covers ransom payments. The game has changed and companies and insurers need to navigate this new reality with caution.

Cyber insurance alone is not enough

While cyber insurance is important and should be a priority for the C-suite, it’s not foolproof. The threat landscape can be challenging. Ransomware payouts have rocketed in recent years, emboldening attackers. They’re now using double and triple extortion to increase their profit margins.

They encrypt the data, demand the ransom and then start going to your business partners and telling them your company has been compromised and their data is also at risk. They threaten to release your partner’s information with your own and demand money from everyone involved. Cyber insurance can’t protect against this level of reputational threat.

That is why cyber insurance companies are telling their customers what to do to ensure their insurance stays valid. Companies are under pressure on multiple fronts — regulation, attackers and insurers — to guarantee every possible security step is taken should they be compromised. Companies need to reinforce their security systems and investments and collaborate with third-party service providers to ensure comprehensive protection.

* Martin Potgieter is the technical director at Nclose and a solutions-focused cybersecurity specialist.