Why Cyber Insurance is So Expensive and Hard to Get
With inflation recently hitting a 30-year high, everything from the beef in your fast food hamburger all the way down to the box it comes in has gone up in price at an unprecedented rate. The blame is bandied around between the pandemic, the supply-chain crisis, work shortages and just about anything else the PR spin gurus use to deflect us away from the real reason: opportunistic greed.
And while this affects the consumer market, it doesn’t explain the recent huge increase in cyber insurance, which should be devoid of and separate from the common goods and services market. According to Tech Target, “The cyber insurance market is undergoing a massive shift as premiums have increased upwards of 50%, according to infosec experts and vendors, with some quotes jumping closer to 100%.”
Sure, the United States’ propensity to sue for anything and everything, and the increase in home-based VPN villainy (particularly Ransomware), apparently a popular career choice for the YouTube generation, are certainly contributing — almost justifiable — factors. But the truth of the matter is the Cyber Insurance providers do it simply because they can. We’re talking about a very small, tight-knit group that gets together and sets rates as they see fit, basking in the freedom of no government regulations. Sure there are reports and committees and calls for more relevant legislation, but we all know the speed at which those proceed; a snail doing a lap around the track lugging a sun dial behind it.
On top of that, cyber insurers (and all insurers, for that matter) have a different business model than most other businesses; they don’t have to come to you to try and sell you their wares, you have to go to them, have to have insurance, and they know it.
This means they have no real concern about the expiry date on your existing policy, are in no hurry to get a new one done for you, tend to be sloppy/half-assed with their policy write ups, and get mad and threaten to blackball you if you lowball them; i.e. “shop for the best deal”, which is the SOP in consumerism since the invention of the monetary system.
But our hand is forced
In all fairness, the industry does try to justify the “caution” they are employing and the subsequent rate increases. They throw out figures ad nauseam showing the uptick of cyber attacks, particularly via Ransomware, thus the increase of payouts they have to cover. These attacks also stimulate demand, as companies that previously didn’t consider cyber insurance a justifiable expenditure now do, causing a supply problem, which in turn leads to competition for capacity, hence increasing prices.
They tell us about the lack of historical loss data to base their figures in reference to the uptick in breaches. They also inform us that few companies are paying for large breach cover (say, at least $200M) so that a very small amount of claims would take them years to recover. So they have to increase their rates, right?
All of this amounts to the “justification” of an increase in premiums, problems with scaling and a hardening risk-transfer market. According to some experts, the cyber insurance sector has a high ceiling for individual losses and potential for risk accumulation as well as large capital requirements. As a result, fewer insurers are willing to back cyber insurance policies, and those that do aren’t willing to hold too much of this risk.
For our company specifically, the biggest pain point in acquiring cyber insurance was obtaining Professional Indemnity. This was because, according to the insurers we reached out to (which, by the way, all piggy-backed down a funnel to three main underwriters), we are a UK-based company and the bulk of our existing contracts are US-based.
This was never a problem in the past but was excruciatingly difficult to negotiate this time around. The fact that we’ve never made a claim or been threatened by any legal action bore absolutely no weight with the insurers. To them it was a moot point; insignificant in the pursuit for bottom-line profit. UK insurers feel that a cyber security company within its jurisdiction that has more than 50% of its client contract US-based is too high a risk to cover due, as stated earlier, to the propensity for Americans to sue, as well as globally-viewed opinions that the US is very sloppy with their cyber security practices.
Additionally, because we are a cyber security company, we are considered a “top-tier risk” because of the sensitive material we deal with in bulk. Insurers are also now scrutinizing each policy candidate for their cyber security practices, such as data loss prevention procedures, multi-factor authentication systems and encryption practices, how often and quickly a business can spot and patch software vulnerabilities, and whether third-party vendors are used to monitor and assess security issues.
The very fact that our customers hire us explicitly because of our diligence and vigilance in these matters — that they trust us to keep their sensitive data secure — holds no weight when it comes to setting our policy rates or even obtaining such insurance nuances as Professional Indemnity. “What if” becomes the insurers’ reality, not “what happened ‘’ or “what is likely to happen”; conjecture trumps likelihood — the joker beats the straight from cards dealt from the bottom of the deck.
So what can be done?
Sadly, nothing at this point. If you know anyone who can control the market, any market, to his or her needs, sign me up to their Patreon page. The “rent” control concept, where the government sets a base price, won’t work because this will shift as party power does and will become the hot mess that anything the government intervenes in does.
The change and stabilization of rates and cover requirements falls solely on the cyber insurance companies. They must revamp their dated cut-and-paste cyber security practice requirements and consider who is applying: a cyber security company, for example, not only has a goal to help companies from data loss and extortion, but is also helping insurance companies by preventing the amount of money that has to be paid out due to breaches.
Simply put, set rates according to the nature of the business and take into account the business’ actual claims, something that they state is standard practice. Encourage companies of any size to get sufficient cover by making it affordable and feasible. This expenditure will make it practical for them to spend more on cyber hygiene, thus increasing the overall profit of the cyber insurers due to less payouts. A win-win situation.
Sources:
https://fortune.com/2021/11/10/inflation-30-year-high-october-cpi-prices/
https://www.forbes.com/advisor/investing/why-is-inflation-rising-right-now/
https://www.cisa.gov/cybersecurity-insurance
https://content.naic.org/cipr_topics/topic_cybersecurity.htm
https://hbr.org/2021/01/cybersecurity-insurance-has-a-big-problem
