Cybersecurity Insurance in 2024: Practice of Future

Chart showing global average cost of a data breach rising from $3.54 million in 2015 to $4.24 million in 2021.

Cyber attacks are on the rise across all industries, with a hacker attempting a cyber attack every 39 seconds according to experts. As digital transformation accelerates, companies are becoming more vulnerable to data breaches, ransomware attacks, and other cybercrimes that can severely disrupt operations and finances. This is driving many organizations to invest in cyber insurance as a way to mitigate risks.

Content Navigation show

In 2023, cyber insurance is expected to play an even bigger role in enterprise risk management and become a standard practice for businesses of all sizes. In this blog post, we‘ll explore the current cyber threat landscape, benefits of cyber insurance, how policies are evolving, and predictions for the cyber insurance industry this year and beyond.

The Growing Threat of Cyber Attacks

Recent years have seen some of the most devastating cyber attacks in history, with the trend only intensifying. According to Cybersecurity Ventures, cybercrime is predicted to cost the world $10.5 trillion annually by 2025, up from $3 trillion in 2015. Here are some of the major cyber attacks that have impacted businesses and governments in the last decade:

  • WannaCry (2017): This ransomware attack encrypted data on over 200,000 computers globally. Companies like FedEx, Nissan, Hitachi were impacted. Total losses were estimated at $4 billion.

  • NotPetya (2017): A wiper malware disguised as ransomware caused over $10 billion in damages across shipping, logistics, consumer goods companies. Maersk had to reinstall 4,000 servers and 45,000 PCs.

  • Equifax (2017): The personal data including SSNs of 147 million consumers was compromised due to an unpatched vulnerability. The breach cost Equifax over $1.4 billion.

  • Colonial Pipeline (2021): A ransomware attack forced the key fuel pipeline operator to shut down for nearly a week, causing gas shortages and panic buying across the Southeast U.S.

  • JBS Foods (2021): A ransomware attack on the world‘s largest meat producer disrupted production around the world. The company ended up paying $11 million in ransom.

  • SolarWinds (2020): Russian state hackers used a trojanized network management software update to breach US government agencies and 100+ enterprises. At least $90 million was spent on remediation by Microsoft alone.

The below chart shows how the global average cost of a data breach has surged in recent years:

Chart showing global average cost of a data breach rising from .54 million in 2015 to .24 million in 2021.

(Source: IBM)

Key trends driving the rise in attacks include:

  • More sophisticated hackers: Cybercriminals are getting smarter and cyber attacks more targeted, using advanced persistent threats and social engineering tactics. State-sponsored hackers are also a growing concern.

  • Internet of Things expansion: The number of connected devices is expected to reach 75 billion by 2025, expanding the attack surface. Unsecured IoT devices are an easy target.

  • Work from anywhere model: With more employees working remotely, corporate networks have become less secure. Home wi-fi networks present vulnerabilities.

  • Supply chain risks: By attacking third parties like vendors, hackers can gain access to sensitive data. The SolarWinds and Kaseya attacks highlighted supply chain weaknesses.

No industry is immune. A 2022 Hiscox report revealed cybercrime cases increased 61% among small businesses compared to 2020. Healthcare organizations saw a 78% increase in cyber attacks in 2021 per IBM. Between state-sponsored espionage and ransomware, the question now isn‘t whether an attack will occur, but when.

The Evolving Role of Cyber Insurance

Cyber insurance provides financial protection by covering costs that result from a cyber attack or data breach incident. According to coalitioninc.com, over 90% of cyber insurance claims stem from ransomware attacks, data exfiltration, email phishing and social engineering. Policies can cover:

  • Digital asset restoration: Data recovery, costs to restore lost or corrupted data

  • Business interruption: Lost income and operating expenses from disruptions

  • Cyber extortion: Ransomware payments and negotiation services

  • Network security liability: Lawsuits, settlement costs, regulatory fines due to data breaches

  • Cyber crime: Financial fraud, phone hacking, cyber threats

  • Privacy violation liability: Lawsuits, settlements, regulatory fines due to privacy breaches

  • Media liability: Copyright infringement, defamation, or negligence in online content

Cyber insurance can be a lifeline for companies hit by an attack. According to IBM, the average cost of a data breach is $4.24 million in 2024. Policies cover first-party costs like investigation, restoration, legal services and lost income, as well as third-party costs if customers sue for negligence or personal data exposure. Payouts from insurers like AIG and Chubb have saved companies from bankruptcy in recent years.

At the same time, the scope and definitions around cyber insurance are still evolving. For example, carriers may exclude damages caused via war or political unrest in their policies. State-sponsored attacks are a gray area that could lead to claims being denied. Companies need to review policy language carefully and model out worst-case scenarios to avoid surprises.

Key Trends Reshaping Cyber Insurance in 2024

Cyber insurance is a relatively new product that is seeing rapid innovation, with policy terms and conditions changing in response to new attack methods. In 2023, experts predict these key trends will reshape the market:

  • Customized policies: Insurance coverage will match specific assets and vulnerabilities rather than take a one-size-fits-all approach. Verisk‘s Cyber Quant model is an example of risk-based underwriting.

  • Greater focus on risk mitigation: Insurers will incentivize good security practices like employee awareness training, endpoint protection, multi-factor authentication through discounts or mandates.

  • Higher premiums: Companies with poor security will pay more for coverage. However, those with robust IT practices will benefit from lower premium costs.

  • Exclusions for state actors: Policies likely won‘t cover damages caused by foreign nation-state attacks. Expect pushback from regulators on this.

  • Mandatory cyber audits: Assessing the policyholder‘s security posture will likely be required during the underwriting process. Vendors like BitSight provide ratings.

  • More clarification of ambiguous terms: Vague wording around what constitutes a "cyber attack" will get more precise definitions to reduce disputes.

  • Cyber captives: Greater interest in companies creating their own captive insurers to directly control coverage and pricing, rather than relying on third-party carriers.

Organizations looking to buy cyber insurance policies need to demonstrate cyber resilience, negotiate favorable terms, and closely review language to avoid gaps.

Cyber Insurance Industry Predictions for 2024 and Beyond

Cyber insurance is entering a sustained growth phase as adoption reaches an inflection point across industries. Here are key predictions on the market size and trends according to leading forecasters:

  • Cyber insurance premiums will reach $20 billion globally in 2024, up from just $7.5 billion in 2020 (Allianz)

  • U.S. market share could more than double from $5.7 billion to $12 billion in annual premiums by 2025 (AM Best)

  • 70% to 80% of U.S. companies will carry cyber insurance in the next 2-3 years, up from around 60% in 2024 (Fitch Ratings)

  • Average cost of policies for small businesses will rise by 50% between 2022-2024 (Cowbell Cyber)

  • Financial institutions will see policy rates increase 25% to 50% on renewal (Marsh McLennan)

  • Cyber insurance budgets will need to double for most firms according to Gartner

  • Lenders and business partners may soon require minimum levels of cyber coverage from customers (Fitch Ratings)

As cyber attacks proliferate, organizations beyond the healthcare, retail and financial sectors now view cyber insurance as a necessary cost of doing business online in the 2020s.

Crafting an Effective Cyber Insurance Strategy

For companies exploring cyber insurance coverage, focus on these best practices:

  • Conduct a risk assessment: Identify your critical assets, vulnerabilities, and acceptable levels of risk exposure. Cybersecurity firms can help with this.

  • Model out worst-case scenarios: This will determine ideal policy limits and deductibles when weighing tradeoffs. Table-top exercises are valuable.

  • Prioritize gaps in existing coverage: Many policies like Property & Casualty already offer some cyber protections. Look for holes.

  • Clarify vague language with underwriters around exclusions and trigger events that would lead to claims payment.

  • Discuss retentions: Make sure you can afford the out-of-pocket costs you may need to cover before insurance kicks in.

  • Evaluate insurer financial strength: Look for carriers that are able to pay out large claims, even in a systemic risk event.

For example, Keeper Security implemented a robust cyber insurance strategy after their risk assessment showed gaps in existing coverage. They worked with carriers to design a tailored policy with priority on business interruption, cyber extortion and privacy breach coverage limits.

The Role of Technology in Managing Cyber Risk

Beyond traditional cyber insurance policies, new approaches and technologies are emerging to help companies manage cyber risks:

  • Cyber ratings like BitSight Security Ratings and SecurityScorecard benchmark an organization‘s security performance to influence cyber insurance pricing and identify areas for improvement.

  • Parametric insurance provides coverage against breaches based on specific trigger events, allowing much faster claims payment without requiring extensive loss adjustment.

  • Cyber captives enable insured companies to circumvent external carriers and directly control coverage, deductibles, and premiums through a self-owned insurer. Captives can also tap reinsurance markets for added capacity.

  • AI for enhanced underwriting leverages big data to dynamically model cyber risk exposures and premium pricing based on evolving threat landscapes.

  • Auditors and MSSPs now provide risk transfer and insurance services to complement cyber policies, based on their extensive visibility into clients‘ environments.

As cyber risks grow exponentially, insurers need to embrace technology not just to improve security, but also to design better policies and accurately price risk.

Looking Ahead: The Future of Cyber Risk Management

To build cyber resilience, companies today need to view insurance as just one component of an overarching risk management strategy. Preparedness, mitigation and transfer of risk should all be addressed.

Here are some other developments we may see over the next 5 years to tackle cyber risks:

  • Greater public-private collaboration on cyber intelligence sharing and policymaking

  • Government reinsurance programs to subsidize cyber insurance capacity for critical infrastructure sectors

  • Mandated cybersecurity standards and regulations for companies around data protection and vulnerability disclosure

  • Increased investments in cybersecurity startups innovating on enterprise security defenses through technologies like deception tools and AI

  • More industry ecosystems and collective security models like the Trusted Secured Stamp exchange for strengthening supply chain protections

  • Mergers and acquisitions of cyber insurers as market consolidates and reinsurers seek direct distribution

  • Expansion of standalone or parametric cyber products for coverage gaps beyond general liability policies

With cybercriminals rapidly evolving their techniques, companies need to work proactively with insurers, regulators and technology partners to predict and manage emerging cyber risks. This collective approach to security and risk transfer will define cyber resilience in the 2020s.

Conclusion

Cyber attacks and data breaches will only grow in frequency and impact across industries. To survive the next decade, cyber insurance must become part of every company‘s risk management strategy and budget. As insurers refine policies to keep pace with new threats, organizations need to prioritize investments in cybersecurity controls, employee training, and business continuity. Proper contingency planning and testing before a crisis hits can greatly minimize potential losses. With cyber risks rising exponentially, the resilient enterprises who prepare for the worst now with Insurance and security will be the ones still standing tomorrow.

Tags: