With rising cyber incidents, it should come as no surprise that cyber insurance companies are tightening their policy coverage requirements in an effort to stem the tide.
Today, hackers are using increasingly sophisticated tools to launch attacks. Not only are threat actors using sensitive information for financial gain, but they’ve also become savvier in using it as a strong-arm extortion tool to get even more money.
The financial losses from cybercrime are projected to reach $10.5 trillion annually by 2025, according to Cybersecurity Ventures projections.
This represents a dramatic increase in the global costs of cybercrimes over the past decade from $3 trillion in 2015.
In addition, the number of cyber insurance claims swelled to 33,561 in 2023, a direct response to the rising incidence of cybercrimes, according to the National Association of Insurance Commissioners (NAIC).
Small and medium-sized businesses are increasingly being targeted in these cyberattacks, such as ransomware, business email compromise (BEC), token theft, Adversary-in-the-Middle (AitM), data breaches, and other types of phishing attacks and social engineering schemes.
Ransomware, in fact, represents the lion’s share of the claims involving recovery expense losses, about 81 percent.
In this article, we’ll outline how cyber insurance providers are reacting in the wake of a spate of large-scale cyberattacks in recent years. We’ll also examine the ways in which insurers are trying to mitigate risk and what this may mean for your business.
After reading this article, you’ll know 9 key security tools, policies, and procedures you will likely need to implement in order to obtain or renew your cyber liability policy.
With this information, you can implement the right security measures to obtain coverage and help protect your organization's financial future.
Cyber insurance is a relatively new concept, having been created in 1997 mainly as a niche industry to protect technology companies. Today, it is a multi-faceted behemoth that is only expected to grow in the coming years.
Given the evolving threat landscape, cyber insurance has become an essential part of many organizations’ overall cybersecurity strategy. According to the NAIC, the number of active cyber insurance policies in the U.S. jumped markedly, rising 11.7% to 4.4 million in 2023.
Cyber insurance covers specific financial losses caused by a cyberattack, data breach, or other type of cyber incident.
According to the latest figures from the NAIC, $16.66 billion in premiums were written for cyber coverages globally in 2023; the U.S. cyber insurance market accounts for 59 percent of that ($9.84 billion).
Fortune Business Insights projects that the cyber insurance marketplace will balloon to $120.47 billion by 2032, based on a compound annual growth rate of 24.5 percent.
Threat actors are constantly on the prowl to exploit even the smallest vulnerabilities within your environment to successfully gain a foothold into your systems. This could be through your network, computers, software, email, or other parts of your infrastructure.
Often, individuals are the weakest link within an organization, as they can unwittingly invite in attackers by taking some adverse action such as clicking a malicious link, downloading an infected file, or sharing confidential information to a “known” contact.
Once they’ve gained unauthorized access to your data, this allows them to launch a targeted attack, such as malware or ransomware. Attackers can then encrypt the data and either sell it on the dark web or hold it “hostage” until a ransom is paid.
Such cyberattacks can not only disrupt critical business operations, but also affect email communications, video conferencing, data access, file sharing, and more.
Cyber insurance is essentially a stop-guard to minimize losses in the event of a cyber incident. Those losses could include:
The growing number of cybersecurity incidents have far-reaching consequences.
The losses are compounded by the fact that they don’t just affect the initial target of the cyberattack or data breach. An attack can spread like wildfire, ensnaring many other businesses in its path.
For instance, in a much-publicized ransomware attack on Change Healthcare, the protected information of an estimated 190 million people was stolen, including names, social security numbers, dates of birth, and medical records.
That attack on the United HealthGroup subsidiary in February 2024 paralyzed the healthcare industry nationwide, leaving many small businesses on the brink of closure.
It represented the single largest cyberattack ever to hit the healthcare industry, impacting hospitals, care facilities, pharmacies, private practices, insurers, and other healthcare organizations across the country.
The reverberations are still being felt throughout the industry.
Affected businesses have filed dozens of lawsuits, including at least 72 class action lawsuits that have since been consolidated into a federal multidistrict litigation (MDL) in the District of Minnesota.
In many of the lawsuits, the plaintiffs allege that Change Healthcare was at fault for failing to implement critical cybersecurity guardrails to protect sensitive information.
The cause of the massive data breach and its ripple effect of widespread financial devastation: lack of basic cyber hygiene.
According to published reports, Change Healthcare wasn’t using multi-factor authentication, an industry-standard cybersecurity control.
This is just one example of several high-profile ransomware attacks in various industries in recent years. The frequency and severity of such attacks are driving the demand for cyber insurance coverage.
This is just one example of several high-profile ransomware attacks in various industries in recent years. The frequency and severity of such attacks are driving the demand for cyber insurance coverage.
Given the rise in the number of claims caused by the growing incidence of cyberattacks, insurance companies are trying to turn the tide by requiring companies to implement more rigorous security controls.
Here are 9 essential cybersecurity controls to help you meet the cybersecurity standards for coverage:
Regularly scheduled program of training modules
Features a combination of simulation exercise and security awareness information
Educates employees on the latest tactics being used by threat actors and how to spot and avoid them
Fosters agency among staff to follow your cybersecurity protocols
Requires users to provide multiple forms of identity authentication and verification
before being allowed to access a device, application, file, or other parts of your network
A critical component of cybersecurity that is often required by federal and state privacy laws and security regulations
Implement user authentication and verification protocols to limit access to only authorized users through role-based access controls (RBAC)
Restricts access based on a pre-defined user role and job functions
Often incorporates privileged access management to limit access to highly sensitive information to only key stakeholders within your organization, such as a network administrator
Use advanced encryption tools to protect data both in transit and at rest
Helps safeguard files, folders, and other media from being stolen or compromised by threat actors through unauthorized access
Create and implement a comprehensive incident response plan to outline the steps your organization will follow in the event of a cyber incident
Identify key stakeholders and define their roles and responsibilities
Establish a communication chain for internal and external stakeholders
Automate your scheduled software patches to ensure you have fixed any known vulnerabilities
Ensure your software is up-to-date to help prevent threat actors from being able to capitalize on end-of-life software that is no longer receiving critical security patches and updates from the manufacturer
Perform a through inventory of your technology
Classify your data assets to identify any highly sensitive data that may require specific security safeguards
Segment your network to separate sensitive data so that it is only accessible to authorized
Develop a BCDR plan to spell out your how your business will respond during an emergency, such as a natural disaster or cyber incident
Identify employees and external entities to be notified following an emergency, including any regulatory agencies
Determine the impact on your business
Establish protocols for operating during the attack and your recovery afterward
Ensure you have secure, accessible data backups
Perform regular risk assessments of your environment, including penetration testing and vulnerability scanning to identify hidden vulnerabilities and determine the effectiveness of your security controls
Evaluate your current security posture to identify security gaps and potential threats
Document the risk and potential effect of such security vulnerabilities
Establish and implement proposed remediation controls to correct identified security flaws
Develop and adopt comprehensive cybersecurity controls, policies, and procedures to mitigate cyber incidents
Currently, cyber insurance is not universally mandated. Given the rapidly evolving threat landscape, however, it has become an increasingly essential tool to help businesses and insurers alike minimize risks.
A cyber incident can cause crippling damage to your business, including reputational damage, customer defections, legal consequences, and revenue loss. While cyber insurance can’t prevent such damage, it can serve as another layer of protection for your business and the sensitive information you store, process, and share.
After reading this article, you now understand that rising threat risks are spurring insurers to ramp up the security requirements for cyber liability coverage.
When evaluating a cyber insurance policy, it’s important that you know what it covers, as well as any exclusions. You should also have a clear understanding of the specific security requirements for your business. Insurers frequently deny claims because of exclusions and for failing to implement the necessary cybersecurity controls.
As a managed IT services provider (MSP), we write articles like this with one goal in mind: to provide information to help you make the best IT decisions for your business. We want to help you succeed, regardless of whether you choose to work with us or not.
While we don’t offer cyber insurance products, we strongly recommend that you shop around to find a policy that fits your business needs.
Are your current cybersecurity defenses adequate to reduce the chances of a cyberattack?
Click the button below to get a cyber insurance checklist to see if you have the right technology in place to quality for coverage.
✔️Identify 12 cybersecurity tools most insurance carriers require
✔️Assess the technology gaps that may exist in your infrastructure
✔️Understand why these 12 tools are important