A “perfect storm” of surging threats, economic headwinds and evolving regulations will see many organizations miss out on cyber-insurance in 2023, experts have warned.
Insurers have been increasing premiums whilst reducing coverage over recent months in response to the rising frequency, severity and cost of cyber-attacks. UK pricing increased 102% in the first quarter of 2022, driven mainly by ransomware, according to Marsh.
This in turn threatens to remove an important risk management tool for many organizations, according to Huntsman Security. The firm predicted that around twice as many firms next year would be unable to afford cyber-insurance, declined cover or experience significant coverage limitations.
“Factors like the supply chain crisis, inflation and skill shortages are all adding to the difficulty for organizations trying to execute on their cybersecurity strategy. At the same time, increases in insurance premiums, limits on coverage, increasing underwriting rigour and capacity constraints are all limiting the accessibility of cyber insurance, for many,” argued Peter Woollacott, CEO of Huntsman Security.
“Loss ratios will not improve until premium incomes better match the current level of pay-outs. With this reduced insurance access alongside increasing cyber threats and tightening regulations, many organizations are losing cyber insurance as an important risk management tool. Even those who can still get insurance are paying a prohibitively high cost.”
The answer for many will be to put in place and demonstrate the requisite security controls to reduce cyber risk and therefore qualify for lower premiums/increased coverage.
Such controls are likely to include best practice staples such as multi-factor authentication (MFA), endpoint protection, staff awareness training, regular backups and disaster recovery planning, among other things, Huntsman Security claimed.
Organizations will also have to keep a close eye on third-party risk, warned Woollacott.
“Right now, the cyber-insurance sector is driving security controls worldwide. And even when legislators, regulators and the courts have caught up, it will still be insurers seeking to improve the quality of their risk pricing information that will set security terms,” he concluded.
“Organizations should ensure they are able to take advantage of any improvement in terms offered by enhancing their security controls and posture.”