Cyber insurance is viewed by many cybersecurity experts as a crucial component of a modern security strategy, given surging cyber incidents and associated business costs.
The global cyber insurance market is projected to be worth $90.6bn by 2033, highlighting its growing relevance.
While the need for cyber insurance is clear, there are indications that policies are not working effectively for many organizations.
A 2023 Delinea report found a growing disconnect between carriers and enterprises, with policyholders struggling to understand the fine print in policies, leading to many claims being rejected.
There is a particular issue is with small businesses, which are experiencing growing attacks. A 2022 report by the UK’s Federation of Small Businesses (FSB) found that 38% of its members that have cyber insurance do not know what their policy includes.
In fact, the majority of small and medium-sized enterprises (SMEs) simply do not see cyber insurance as a viable option. In December 2023, insurance giant Aviva found that just 17% of small businesses have cyber insurance.
Barriers to Effective Cyber Insurance Coverage
Impractical Cyber Insurance Policies
Currently, many businesses find it difficult to understand the extent of coverage and exclusions that may apply in cyber insurance policies.
“This ambiguity can lead to disputes and delays in the event of a cyber incident, causing additional stress and financial strain for the insured,” Tarnveer Singh, CISO of The Exeter and ClubCISO member, told Infosecurity.
The evolving nature of cyber threats adds another layer of complexity, making it harder to ensure policies remain relevant. Singh said that insurers typically rely on standardized risk assessment measures, which may not accurately reflect the unique vulnerabilities and risk levels for individual businesses.
“This mismatch can result in inadequate coverage or overpriced policies, making it challenging for businesses to find the right cyber insurance solution,” he explained.
The process of filing an insurance claim can be time-consuming and burdensome, particularly for SMEs with limited resources, with insurers often requiring extensive documentation and proof of loss, Singh added.
Indy Dhami, partner in KPMG’s Financial Services Cyber Security team, believes the wider business impacts of cyber incidents is making it more challenging for insurers to model cyber risks appropriately, with this industry traditionally focused on losses related to digital assets, such as personal data.
“The increase in cyber-attacks along with its wider impact has led clients and insurers to rethink the knock-on effect on other insurance lines like personal (reputation), property (physical damage), intellectual property (competitor information) etc.,” he noted.
Another barrier to effective cyber insurance is the growing cost of premiums, an issue that is exacerbated for SMEs and leads to many companies being underinsured.
S&P Global Ratings has projected that annual cyber insurance premiums are set to increase by 25-30% per year until 2025.
Lack of Cyber Awareness and Knowledge
In some cases, businesses may choose not to take out cyber insurance as they not aware of how costly cyber-attacks can be. From an insurer’s perspective. Technology and Cyber Head at Hiscox USA, Chris Hojnowski, said that many organizations incorrectly believe that any financial losses can be covered by the business itself.
Additionally, he noted that SMEs are often under the illusion that they aren’t a target of cybercriminals due to their size.
This is incorrect, he said, citing figures from the Hiscox Cyber Readiness Report 2023 showing that 43% of small businesses suffered a cyber-attack in 2023.
Additionally, cyber insurance policies are typically purchased by someone without a deep cybersecurity understanding, usually from the finance department, such as a risk manager or Chief Financial Officer.
“They are coming to cyber insurance from a financial perspective and a business point of view; therefore, they may not have the same depth of knowledge as the CISO, who would have a better understanding of what the insurance policy technically includes and whether it provides adequate coverage,” outlined KPMG’s Dhani.
How to Make Cyber Insurance Policies More Relevant
Tailoring Cyber Insurance Policies to the Organization
To make cyber insurance more effective, insurers must offer more customizable policies that align closely with the specific needs of individual businesses, argued Amar Patel, a CISO working in financial services and ClubCISO member.
“Innovating in product development, with a focus on the evolving cyber threat landscape, can offer more relevant insurance products"
These individual policies also need to be under constant review. “Innovating in product development, with a focus on the evolving cyber threat landscape, can offer more relevant insurance products,” he noted.
Insurers should seek to provide more flexible and scalable options, particularly for SMEs with limited resources, Patel noted.
The need to adapt policies according to factors like the individual characteristics of the organization and threat landscape is increasingly being recognized in the cyber insurance industry.
Lauren Winchester, SVP – Risk Advisory at Corvus Insurance, told Infosecurity: “Insurers are confronted with the task of accurately quantifying the risks tied to a business’s cybersecurity posture, adapting application questions and policy wording in a competitive market.”
She advised insurers to embrace advanced data analytics and alternative cyber data sources to better quantify risk.
“It also takes a nimble, cross-functional team within the insurer – underwriting, actuarial, risk management and claims – to adapt quickly to new threats,” added Winchester.
How Transparency Can Improve Cyber Insurance and ROI
Increasing transparency in cyber insurance policy terms and conditions could go a long way towards reducing delays and disputes during claims, according to Singh.
“Clear language and concise explanations of coverage, exclusions, and claims procedures can help businesses make informed decisions and minimize disputes,” he said.
Insurers should work on streamlining the claims process, as businesses require prompt support in the aftermath of a cyber incident. This includes simplifying documentation requirements, establishing clear communication channels and expediting the assessment and settlement of claims.
“By reducing administrative burdens and providing efficient claims handling, insurers can significantly improve the overall experience for businesses,” added Singh.
More businesses could be encouraged to take up cyber insurance if insurers assisted in demonstrating the benefits and ROI of such policies to business leaders outside of the cybersecurity function.
Measuring and quantifying cyber risk is often difficult for those working in small firms, noted KPMG’s Dhami.
“If cyber insurance providers can help clients perform a more detailed cost-benefit analysis to demonstrate to the Board the value of this type of insurance, it might encourage them to invest more,” he said.
How Cyber Insurance Should Evolve in the Future
Providing Risk Management Services
A Market.Us report published in January 2024 advised cyber insurers to consider providing holistic risk management services in the future to enhance their offerings, helping organizations proactively manage cyber risks.
These risk management services include cybersecurity assessments, incident response planning and employee training.
Prevention is an area cyber insurers told Infosecurity they are increasingly involved in. Corvus’ Winchester said the firm is continuously expanding its cyber risk management services to prevent attacks.
For example, Corvus made contact with a policyholder after discovering credentials that would allow access into their system were for sale on the dark web. After validating the information, they set the client up with incident response firms, enabling them to contain the attack before it turned into data theft and extortion.
Dhami agreed that a more holistic service is needed to make cyber insurance more effective for businesses. This includes recommending partners or providing complimentary services in areas like forensics and crisis management.
“Most companies simply don’t have the resources to have those functions in-house. With comprehensive pre-, during-, and post-attack services and support, cyber insurers will not only help improve their clients’ security posture, but they can be confident that their policies are fit for purpose,” he noted.
Cyber Insurers Must Collaborate with the Cybersecurity Industry
A key aspect of cyber insurers enhancing their offerings is building a closer relationship with the cybersecurity industry.
This relationship will enable insurers to gain fast and accurate insights on the evolving threat landscape and how different sectors are being targeted. Cyber insurers will also benefit from being able to tap into cybersecurity specialists’ risk management services and expertise.
Singh explained: “By tapping into this expertise, insurers can refine their risk assessment models, develop more comprehensive coverage, and align their policies with the latest cybersecurity best practices.”
Patel added that he would like to see the insurance and cybersecurity industries develop joint frameworks for cyber risk assessment that could standardize and streamline this process.
Conclusion
Cyber insurance has become a recognized component of cybersecurity. However, it is still a relatively young sector with plenty of scope for maturity. This process is needed to address some of the issues we are seeing with the practical application of cyber insurance policies, and boost takeup and effectiveness.
It is also clear that insurers’ ability to provide a more tailored and holistic service will require close coordination with the wider cybersecurity industry, tapping into its insights and services for the benefit of clients.