Cybersecurity risk is on the rise: How insurers are responding

Recent reports suggest more education and standardization are needed to keep up with a rapidly increasing threat landscape

Cybersecurity risk is on the rise: How insurers are responding

Oct 1, 2021 / Insurance Industry Trends

Data destruction and theft, extortion demands, hacking, denial of service attacks, crisis management, legal claims: this is the world of cyberattacks and cyberterrorism, and the threat is growing. According to the Harvard Business Review, the severity of financial consequences is running into the tens of millions for individual companies, and the Cyber Readiness Report by Hiscox indicates that many companies are being targeted more than once in a single year.

Malicious cyber activity costs the U.S. billions of dollars each year, and threats are becoming more common and sophisticated. The United States General Accountability Office (GAO) released a report in May of 2021 detailing how insurers face new and evolving challenges with cybersecurity risk and coverage.  

GAO’s report explains that the increase in cyberattack threat against government, business, and infrastructure is putting pressure on the cyber insurance market to help address and stabilize a complex and rapidly growing risk landscape. But the good news is that insurance carriers are uniquely poised to help mitigate this growing threat and lead the charge for education, standardization, and prevention.

How carriers are impacted by—and responding to—cyberattacks

As demand for cybersecurity policies rises, so too are costs for insurers. The tremendous ransoms and increased frequency of attacks are putting pressure on insurers’ balance sheets, with more than half of surveyed brokers reporting a price increase of 10-30% in late 2020 according to GAO.  

Insurers are also compensating for this increased cost by lowering coverage limits and by offering cyber-specific policies. Traditionally, cybersecurity insurance has been bundled with other policies. However, with the need for higher limits and more specific coverage parameters, cybersecurity policies are beginning to stand alone—now considered a high-stakes focal point instead of an add-on.

Comprehensive claims data

With limited historical data on losses, carriers often struggle to accurately estimate potential cybersecurity losses and properly price policies. GAO suggests the insurance industry needs comprehensive incident data from not only client claims but also from federal and state governments. A collaboration between entities could produce the data volume necessary to more accurately assess risk and structure policies in the future.  

Increased policy standardization and reduced ambiguity

This collaboration between the insurance industry and government can also extend to increased standardization of definitions and terms. Because the cybersecurity risk market is rapidly evolving, many policy terms are inconsistent across carriers and policyholders, which leads to confusion and potential disagreement over coverage.  

Security Magazine reports that because of increased cyber crimes and an increased popularity in standalone cybersecurity policies, insurers are beginning to remove ambiguity from policies and bring clarification to coverage terms. As such, policyholders should expect to be asked more questions at renewal time and more mature, hyper-focused policies.  

Education and prevention

GAO also notes carriers can encourage policyholders to focus on more education and prevention, helping reduce cyber attacks where they most often start: employees falling victim to phishing emails. Prevention and education measures at the policyholder level, paired with increased standardization and collaboration between carriers and government, can help tremendously when it comes to taking a strong stand against cyber criminals.  

While the topic of cyberterrorism can feel daunting, there is ample opportunity for the insurance industry to come together and respond not only when a cyberattack happens but also in efforts to prevent them from happening in the first place.