Cyberinsurance Prices Moderate as Premium Hikes Slow

Two reports focused on the cyberinsurance market found prices continued to moderate in the first quarter of 2023, according to the Global Insurance Market Index from Marsh. Average price increases rose by just 11% compared with 28% increases during the fourth quarter of 2022.

A Fitch Ratings report found a decline in ransomware incidents helped slow the rise of premiums for stand-alone cyberinsurance, although they still rose by 62%. The report noted pricing was likely to further moderate in 2023 due to competitive factors and an improvement in cyberhygiene.

Fitch Ratings forecasted the total spend on cybersecurity policies globally could reach $22.5 billion by 2025—up from $10 billion globally in 2022.

Isabelle Dumont, vice president of market engagement at Cowbell, said the proliferation of cyberattacks and cyberinsurance claims related to ransomware incidents have led to higher insurance premiums in the past few years, but pricing stabilized over the last quarter.

“Having adequate cybersecurity deployed when interacting with third-party vendors drastically improves the risk profile of any organization and makes it more insurable. That, in return, lowers premiums or opens more coverage options,” she said.

The definition of ‘adequate cybersecurity’ ranges from compliance to security best practices when deploying cloud providers to requiring MFA for maintenance services when third parties access the company’s connected equipment.

“Businesses should always seek the advice of a licensed insurance agent or broker to help them define the type of coverage and policy they need,” Dumont noted.

The ‘Forcing Function’ of Cyberinsurance

Bud Broomhead, CEO at Viakoo, said there are three key factors driving the growth of the cyberinsurance market: The expanding liabilities from cybersecurity breaches, boards and senior management holding more responsibility for breaches and the “forcing function” cyberinsurance demands of organizations to maintain their cybersecurity posture.

“These factors have changed over time and will continue to for a few more years,” he said. “Unlike any other form of insurance, the ability to predict the extent of damages from a cybersecurity incident is very limited,” he said.

Compared to automotive or homeowners insurance, where there is a lot of data to suggest possible payout amounts, cyberinsurance is still grappling with what potential payouts might be.

“For example, insurers are just starting to do risk assessments on IoT/OT systems, which have the potential for loss of life, physical damage and much more reputational damage than losses from data exfiltration,” Broomhead said.

Joseph Carson, chief security scientist and advisory CISO at Delinea, pointed out that cyberinsurance companies are greatly exposed by the increase in successful cyberattacks such as ransomware. These insurance companies are losing money; to ensure they can cover the risks, they need to increase their prices.

“As a result of more cyberinsurance policies being introduced—and, ultimately, many businesses needing to use them—the cost of cyberinsurance is continuing to rise at alarming rates,” he said. “I expect to see this continue throughout the rest of the year and beyond.”

Carson said taking a pragmatic, risk-based approach and reducing those risks by implementing strong solutions can show an underwriter that the organization is less likely to become a victim. That will result in a lower premium.

Third-Party Dependencies Introduce Risk

“The dependency on third-party vendors can significantly impact your cybersecurity risks and, as a result, impact your insurance premiums,” he added. “Therefore, you need to ensure you get a good premium so you must manage your third-party cybersecurity risks.”

From Broomhead’s perspective, the biggest upcoming changes in the market will be that cyberinsurance will be harder to get and with lower coverage amounts.

“This will only change if insurers have more assurance that their risk assessments and financial models are correct,” he said. “Until then, organizations will need to look at other ways to manage this risk, such as through self-insurance or multiple layers of cyberinsurance.”

He said the most important thing is for an organization to do its own risk assessment and ensure that its internal policies address the entire attack surface.

“Too often, an organization develops well-crafted internal policies but then only applies them to traditional IT resources,” Broomhead said. “All digitally connected assets should fall under these policies unless a specific exemption has been granted.”

In April, Lloyd’s of London, a major player in the global insurance market, called for dramatic changes in the cyberinsurance market, according to a report in London’s Financial Times, and cyberinsurance is a major topic of discussion in the U.S. federal government.

While many are calling for the federal government to become the insurer of last resort, that would require an act of Congress and seems unlikely in the short term.

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 243 posts and counting.See all posts by nathan-eddy