Cyber risk insurance: Protecting against cybercrimes

• Author:
• Author name

  Quantumrun Foresight
• August 31, 2022

Insight summary

Cyber risk insurance is essential for businesses to financially protect themselves against the impacts of cybercrime, covering costs like system restoration, legal fees, and penalties from data breaches. The demand for this insurance has surged due to escalating cyber attacks on various industries, with smaller businesses being particularly vulnerable. The industry is evolving, offering broader coverage while also becoming more selective and increasing rates due to the rising frequency and severity of cyber incidents.

Cyber risk insurance context

Cyber risk insurance helps protect businesses from the financial consequences of cybercrime. This type of insurance can help cover the costs of restoring systems, data, and legal fees or penalties that may be incurred due to a data breach. What started as a niche sector, cyber insurance became a crucial necessity for most companies.

Cybercriminals have become increasingly sophisticated during the 2010s, targeting high-stakes industries like financial institutions and essential services. According to a 2020 Bank of International Settlements report, the financial sector experienced the highest number of cyber attacks during the COVID-19 pandemic, followed by the healthcare industry. In particular, payment services and insurers were the most common targets of phishing (i.e., cyber criminals sending virus-infected emails and pretending to be legitimate companies). However, although most headlines focus on large companies, like Target and SolarWinds, many small and midsized businesses were also victimized. These smaller organizations are the most vulnerable and are often unable to bounce back after a ransomware incident. 

As more companies migrate to online and cloud-based services, insurance providers are developing more comprehensive cyber risk insurance packages, including cyber extortion and reputation recovery. Other cyber attacks include social engineering (identity theft and fabrication), malware, and adversarial (introducing bad data to machine learning algorithms). However, there are some cyber risks that insurers may not cover, including profit losses from the after-effects of an attack, intellectual property theft, and the cost of improving cybersecurity to protect against future attacks. Some businesses have sued several insurance providers for refusing to cover a cybercrime incident because it was supposedly not included in their policy. As a result, some insurance companies have reported losses under these policies, according to insurance brokerage firm Woodruff Sawyer.

Disruptive impact

Many types of cyber risk insurance policies are available, and each approach will provide different levels of coverage. A common risk covered by various cyber risk insurance policies is business interruption, which can include service downtimes (e.g., website blackout), resulting in revenue losses and additional expenses. Data restoration is another area covered by cyber risk insurance, specifically when data damage is severe and would take weeks to restore.

Various insurance providers include the costs of hiring legal representation resulting from litigation or lawsuits caused by data breaches. Finally, cyber risk insurance can cover the penalties and fines imposed on the business for any leaks of sensitive information, particularly client personal data.

Because of the increasing incidents of high-profile and advanced cyberattacks (particularly the 2021 Colonial Pipeline hack), insurance providers have decided to raise rates. According to the insurance watchdog National Association of Insurance Commissioners, the largest US insurance providers collected a 92 percent increase in their direct-written premiums. As a result, the US cyber insurance industry lowered its direct loss ratio (percentage of income paid to claimants) from 72.5 percent in 2020 to 65.4 percent in 2021.

Aside from increasing prices, insurers have become stricter in their screening processes. For example, before offering insurance packages, providers perform a background check on companies to evaluate if they have basic cybersecurity measures. 

Implications of cyber risk insurance

Wider implications of cyber risk insurance may include: 

• Increased tension between insurance providers and their clients as insurers expand their coverage exemptions (e.g., act-of-war incidents).
• The insurance industry continues to increase prices as cyber incidents become more common and severe.
• More companies choosing to purchase cyber risk insurance packages. However, the screening process will become more intricate and time-consuming, making it more difficult for small businesses to get insurance coverage.
• Increased investments in cybersecurity solutions, like software and authentication methods, for companies that want to be eligible for insurance.
• Cybercriminals hacking insurance providers themselves to capture their growing client base. 
• Governments gradually legislating companies to apply cybersecurity protections in their operations and interactions with consumers.

Questions to consider

• Does your company have cyber risk insurance? What does it cover?
• What are other potential challenges for cyber insurers as cybercrimes evolve?